home-assistant
[Security Risk] Security issue with mqtt client certificate keys
The problem
Since the migration to full mqtt ui configuration, all the fields (and specifically the certificates) are copied to .storage/core.config_entries
This file is world readable, and I can see my mqtt client private key inside. 1st: I think we should keep the certificate in a file, with restricted permission and only reference the files in the config 2nd: Obviously, this json database should be only readable by the homeassistant user.
For the 1st point, I understand why it is done like that (simpler to dump the certs directly here from the UI) and is not a security risk (just a matter of preference)
Maybe I've miss-configured something (I didn't check if you do a umask first in the service startup script for example)
Other files may be checked too (cloud file has also some sensitive data)
I discovered this as I was migrating all my mqtt yaml configuration to the new format. I have an issue by the way with the new way. I'm dynamically generating client certificates at boot with a temporary key, and I don't need to expose the mqtt server. I believe that only advanced users need to understand how to generate a client certificate etc (but I still thinking how a newbie can use safely tls without having to use openssl command line) I'm very paranoid maybe :sweat_smile:
Anyway, love homeassistant, you are making an amazing job
What version of Home Assistant Core has the issue?
2023-02
What was the last working version of Home Assistant Core?
No response
What type of installation are you running?
Home Assistant Core
Integration causing the issue
Core
Link to integration documentation on our website
No response
Diagnostics information
Maybe a review of the permissions in .storage directory is needed
Example YAML snippet
No response
Anything in the logs that might be useful for us?
No response
Additional information
No response
