Package: graphite-web Version: 1.0.2+debian-2 Configuration file /etc/graphite/local_settings.py is world-readable by default (644), which is bad because this file is meant to contain a secret password.
If the administrator is not extra-carefull, he will defines a secret password but won't notice the file is world-redable by default. Best security practices include the principle of least priviledge, thus this file should be chmod 600 or chmod 640. $ ls -lah /etc/graphite/local_settings.py -rw-r--r-- 1 root root 8.8K Sep 20 2015 /etc/graphite/local_settings.py I verified the package files is indeed world-readable (644): $ tar tJvf data.tar.xz | grep local_settings.py -rw-r--r-- root/root 15537 2017-09-23 13:56 ./etc/graphite/local_settings.py Extract of the file's content upon install: ##################################### # General Configuration # ##################################### # Set this to a long, random unique string to use as a secret key for this # install. This key is used for salting of hashes used in auth tokens, # CRSF middleware, cookie storage, etc. This should be set identically among # instances if used behind a load balancer. #SECRET_KEY = 'UNSAFE_DEFAULT' Regards, Guillaume
