Description
When the admin panel generates .ovpn or .conf files for clients, the file permissions might be too permissive (e.g., 0644). Since these files contain private keys and sensitive certificates, this is a massive privilege escalation risk.
Proposed Solution
I propose updating the file generation logic to explicitly set file permissions to 0600 (read/write only for the owner) immediately upon creation, using os.chmod() or native OS commands before the files are served or stored.
I would love to work on this critical security issue under the GSSoC '24 program! Could you please assign it to me?
Description
When the admin panel generates
.ovpnor.conffiles for clients, the file permissions might be too permissive (e.g.,0644). Since these files contain private keys and sensitive certificates, this is a massive privilege escalation risk.Proposed Solution
I propose updating the file generation logic to explicitly set file permissions to
0600(read/write only for the owner) immediately upon creation, usingos.chmod()or native OS commands before the files are served or stored.I would love to work on this critical security issue under the GSSoC '24 program! Could you please assign it to me?