ownDynDNS icon indicating copy to clipboard operation
ownDynDNS copied to clipboard

Published 20 hours ago verified publisher icon fernwerker

Restrict log access

Open mhellmeier opened this issue 3 years ago • 4 comments

When running the application, everyone can get detailed information like personal IP address, failures etc. by accessing the log files (just visit /log.json in a browser). Access to the log file should be restricted and only visible by admins.

mhellmeier avatar Aug 22 '21 13:08 mhellmeier

I understand your point. Some thoughts on this:

  • Public IP address will be published anyways as A/AAAA record of your DNS. So this is actually intended behavior of the dyn DNS. So if this is just written in the log.json as well, I wouldn't mind.
  • The history of IP addresses on the other side, is sensible and shouldn't be in there - I agree
  • The other information: yes, could be discussed but not that sensible, but thats where you can disable the log functionality

Suggestion:

  • We add the htaccess as an example configuration but I wouldn't add it as a default file

fernwerker avatar Aug 24 '21 08:08 fernwerker

Thanks a lot for your response!

We add the htaccess as an example configuration but I wouldn't add it as a default file

Since you are the owner of the project, it is your decision if you add it as a default case or not. In my opinion, restricted access should be the default case following the Privacy by Default principles. Otherwise, the following thought wouldn't be satisfied:

The history of IP addresses on the other side, is sensible and shouldn't be in there - I agree

Moreover, I don't see the advantages of having a publicly available log.json file.

mhellmeier avatar Aug 24 '21 15:08 mhellmeier

As said: intended use of this tool is, to have my IP adress publicly available and use it within DNS. Therefore having this information public is a must criteria otherwise the tool would be useless.

Reason for log.json file is:

  1. DNS is slow system, therefore the update of an entry needs some time. If you need to have this information ASAP, you can look it up in the json.log
  2. If your DNS API or something else on DNS side fails, the json.log still holds your IP address

After you usually use this, when you are not in the subnet of the dynamic IP address this might be helpful.

If you don't need this, please use .env to turn logging and debugging of. Et voila, no more information.

I'll leave this open to investigate on the history a little further as soon as I find some time, because a feature to restrict historian access is necessary.

fernwerker avatar Aug 24 '21 17:08 fernwerker

Personal choice imho, as for the feature: I added a configuration script to my fork / PR that interactively asks you many of those questions. Also added a deny block for nginx users to the examples and as message in the script.

As for me, default should imho be to discourage public log access but inform and empower the user to do whatever they please.

NiiWiiCamo avatar Aug 22 '23 21:08 NiiWiiCamo