Steps to replicate the issue (include links if applicable):
- Install MediaWiki
- Select sqlite as the DB type
- Use a data directory that already exists with lax permissions (If mediawiki creates the directory itself, it will be 700)
What happens?:
DB files are created in mode 644
bawolff@bawolff:/var/www/data$ ls -lah total 2.4M drwxr-xr-x 3 www-data www-data 4.0K Nov 8 05:56 . drwxr-xr-x 4 root root 4.0K Nov 8 05:41 .. -rw-r--r-- 1 www-data www-data 14 Nov 8 05:41 .htaccess drwxr-xr-x 2 www-data www-data 4.0K Nov 8 05:56 locks -rw-r--r-- 1 www-data www-data 12K Nov 8 05:41 my_wiki_jobqueue.sqlite -rw-r--r-- 1 www-data www-data 1.4M Nov 8 05:42 my_wiki_l10n_cache.sqlite -rw-r--r-- 1 www-data www-data 912K Nov 8 05:56 my_wiki.sqlite -rw-r--r-- 1 www-data www-data 28K Nov 8 05:56 wikicache.sqlite
What should have happened instead?:
The file mode should be 600 not 644.
This allows anyone on the system to read the DB contents, including password hashes, session information, IP addresses (if checkuser installed), (unencrypted) 2FA codes, user preferences, deleted pages, and any other private data in the DB.