Re: [OT] /etc/machine-id "must not be exposed in untrusted environments"
On 2019-08-08 15:20 -0400, Marvin Renich wrote:
> This is related to the thread Generating new IDs for cloning, but is
> probably OT for this list. I guess this is really a question for
> systemd maintainers? Should I file a bug?
No.
> The man page for machine-id says:
>
> This ID uniquely identifies the host. It should be considered
> "confidential", and must not be exposed in untrusted environments, in
> particular on the network.
>
> Why is the file mode 0666?
0644, not 0666.
> Does it need to be non-root readable?
Presumably yes, since applications and services running as non-root will
likely want to access it.
> If so, how can it be prevented from being exposed on the network if
> there is any user access from the network? Is this really a security
> concern?
No, but it is a privacy concern, since exposing the file over the
network may allow tracking your machine.
https://github.com/systemd/systemd/pull/4645
https://superuser.com/questions/1214704/can-an-attacker-exploit-my-etc-machine-id
HTH,
Sven
Reply to: