I have been digging into the config.xml and during this, I noticed that the /conf/config.xml file has world readable permissions. I also noticed that the incremental backups of the config file located in /conf/backup have inconsistent permissions. Some are 640 and some are 644.
Are these permissions correct?
(https://i.ibb.co/4111zs3/perms-conf.png)
(https://i.ibb.co/2dLwB9p/perms-conf-backup.png)
I think that 640 is an umask issue within configd/configctl executed scripts as witnessed by https://github.com/opnsense/core/commit/7a68bab0859 but benign enough to leave as is.
Historically 644 is required for e.g. OpenVPN authentication script to reach the user data in /conf/config.xml because OpenVPN doesn't run as root.
We are going to change that eventually, but in any case the use of shell access for non-admins is highly discouraged so that this particular issues does not matter.
Cheers,
Franco
Understood. Thanks for taking a look.