[CASSANDRA-17470] Default directory permissions for /var/lib/cassandra could be more restrictive - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Normal
Resolution: Fixed
Fix Version/s: 5.0-alpha1, 5.0
Component/s: Packaging
Labels:
None

Change Category:
Operability
Complexity:
Normal
Platform:

All
Impacts:

None
Source Control Link:

https://github.com/apache/cassandra/commit/39d372539f224eb1eaa3b6209610142abe74712c
Test and Documentation Plan:

Hide

run CI

Show
run CI

Description

I noticed that the default permissions for /var/lib/cassandra and everything below seem to be "world readable", e.g. "drwxr-xr-x 6 cassandra cassandra".

It might depend on the distribution / package used, but I can at least confirm this for the official Cassandra Debian packages as well as the Docker containers. Out of curiosity I compared it to Postgres and MySQL to see which defaults they would opt for and they are

drwxr-x--- 2 mysql mysql 4.0K Mar 22 10:00 mysql

and respectively

drwx------ 19 postgres postgres 4.0K Mar 22 10:01 data

which is way more appropriate in my option. (Here is a Gist with the script to compare them)

If there is no particular reason behind this, I would suggest that the default packages should have stricter ulimits that restricts access to the data directory to the cassandra user & group.

(See also this mailing list thread)

Attachments

Activity

People

Assignee:: Brandon Williams

Reporter:: Sebastian Schulze

Authors:: Brandon Williams

Reviewers:: Berenguer Blasi

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 22/Mar/22 15:01

Updated:: 12/Sep/23 13:02

Resolved:: 25/May/22 11:22