Sebastian Schulze created CASSANDRA-17470:
---------------------------------------------
Summary: Default directory permissions for /var/lib/cassandra
could be more restrictive
Key: CASSANDRA-17470
URL: https://issues.apache.org/jira/browse/CASSANDRA-17470
Project: Cassandra
Issue Type: Improvement
Reporter: Sebastian Schulze
I noticed that the default permissions for /var/lib/cassandra and everything
below seem to be "world readable", e.g. "{{{}drwxr-xr-x 6 cassandra
cassandra{}}}".
It might depend on the distribution / package used, but I can at least confirm
this for the official Cassandra Debian packages as well as the Docker
containers. Out of curiosity I compared it to Postgres and MySQL to see which
defaults they would opt for and they are
{{drwxr-x--- 2 mysql mysql 4.0K Mar 22 10:00 mysql}}
and respectively
{{drwx------ 19 postgres postgres 4.0K Mar 22 10:01 data}}
which is way more appropriate in my option. ([Here is a Gist with the script to
compare them|https://gist.github.com/bascht/31fa749d4121b9898902d5d557a01f82])
If there is no particular reason behind this, I would suggest that the default
packages should have stricter ulimits that restricts access to the data
directory to the cassandra user & group.
(See also this [mailing list
thread|https://lists.apache.org/thread/gyoqb4xnq4ry0c726f0ntz83rvn0w5kx])
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
