Re: [OT] /etc/machine-id "must not be exposed in untrusted environments"

[Sven Joachim <svenjoac@gmx.de>]

On 2019-08-08 15:20 -0400, Marvin Renich wrote:

> This is related to the thread Generating new IDs for cloning, but is
> probably OT for this list.  I guess this is really a question for
> systemd maintainers?  Should I file a bug?

No.

> The man page for machine-id says:
>
>   This ID uniquely identifies the host. It should be considered
>   "confidential", and must not be exposed in untrusted environments, in
>   particular on the network.
>
> Why is the file mode 0666?

0644, not 0666.

> Does it need to be non-root readable?

Presumably yes, since applications and services running as non-root will
likely want to access it.

> If so, how can it be prevented from being exposed on the network if
> there is any user access from the network?  Is this really a security
> concern?

No, but it is a privacy concern, since exposing the file over the
network may allow tracking your machine.

https://github.com/systemd/systemd/pull/4645
https://superuser.com/questions/1214704/can-an-attacker-exploit-my-etc-machine-id

HTH,
    Sven