Newly created configuration files are world readable #1131

New Issue

MrUnknownDE · 2026-04-06T01:37:09+02:00

MrUnknownDE commented

2026-04-06 01:37:09 +02:00

Originally created by @pimlie on 5/18/2024

Subject of the issue

After setting up a new (docker) instance of vaultwarden, all configuration files/folders have 644/755 permissions

Deployment environment

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.30.5
Web-vault version: v2024.1.2b
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Environment settings overridden: true
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Database type: SQLite
Database version: 3.44.0
Clients used:
Reverse proxy and version:
Other relevant information:

Steps to reproduce

Start a new vaultwarden docker instance and mount the /data volume to a new folder

Expected behaviour

Vaultwarden configuration files should not be world readable, maybe even don't let groups have (write) access by default. So all files under /data should have at least 660/770 permissions and maybe 640/750 or 600/700

Actual behaviour

Vaultwarden configuration files are world readable

Troubleshooting data

/data$ ls -laF
total 308
drwxr-xr-x 6 root root   4096 May 18 13:48 ./
drwxr-xr-x 1 root root   4096 May 18 13:48 ../
drwxr-xr-x 2 root root   4096 May 18 13:48 attachments/
-rw-r--r-- 1 root root 249856 May 18 13:48 db.sqlite3
-rw-r--r-- 1 root root  32768 May 18 13:48 db.sqlite3-shm
-rw-r--r-- 1 root root      0 May 18 13:48 db.sqlite3-wal
drwxr-xr-x 2 root root   4096 May 18 13:48 icon_cache/
-rw-r--r-- 1 root root   1675 May 18 13:48 rsa_key.pem
-rw-r--r-- 1 root root    451 May 18 13:48 rsa_key.pub.pem
drwxr-xr-x 2 root root   4096 May 18 13:48 sends/
drwxr-xr-x 2 root root   4096 May 18 13:48 tmp/

*Originally created by @pimlie on 5/18/2024*  ### Subject of the issue After setting up a new (docker) instance of vaultwarden, all configuration files/folders have 644/755 permissions ### Deployment environment ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.30.5 * Web-vault version: v2024.1.2b * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.44.0 * Clients used: * Reverse proxy and version: * Other relevant information: ### Steps to reproduce Start a new vaultwarden docker instance and mount the `/data` volume to a new folder ### Expected behaviour Vaultwarden configuration files should not be world readable, maybe even don't let groups have (write) access by default. So all files under /data should have at least 660/770 permissions and maybe 640/750 or 600/700 ### Actual behaviour Vaultwarden configuration files are world readable ### Troubleshooting data ```bash /data$ ls -laF total 308 drwxr-xr-x 6 root root 4096 May 18 13:48 ./ drwxr-xr-x 1 root root 4096 May 18 13:48 ../ drwxr-xr-x 2 root root 4096 May 18 13:48 attachments/ -rw-r--r-- 1 root root 249856 May 18 13:48 db.sqlite3 -rw-r--r-- 1 root root 32768 May 18 13:48 db.sqlite3-shm -rw-r--r-- 1 root root 0 May 18 13:48 db.sqlite3-wal drwxr-xr-x 2 root root 4096 May 18 13:48 icon_cache/ -rw-r--r-- 1 root root 1675 May 18 13:48 rsa_key.pem -rw-r--r-- 1 root root 451 May 18 13:48 rsa_key.pub.pem drwxr-xr-x 2 root root 4096 May 18 13:48 sends/ drwxr-xr-x 2 root root 4096 May 18 13:48 tmp/ ```

MrUnknownDE closed this issue

2026-04-06 01:37:09 +02:00

MrUnknownDE added the low priority troubleshooting low priority low priority low priority low priority low priority low priority troubleshooting troubleshooting labels 2026-04-06 01:37:10 +02:00

Sign in to join this conversation.

No Label low priority low priority low priority low priority low priority low priority low priority troubleshooting troubleshooting troubleshooting

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1131