FoseFx commented on issue #11426: URL: https://github.com/apache/apisix/issues/11426#issuecomment-2270550986
Can you elaborate which security risks you are worried about? If APISIX runs as a lower privileged user, it already can not access privileged files, like `/etc/passwd`. We have to make sure users, which do not have access to a file, can't abuse APISIX and then, for example, set the file contents as a response header, and thus stealing the file content. Again, some of the protection come from the OS here, if APISIX does not have access to the file, this can't happen. But there may be files APISIX should have access to, but someone else should not. In that case, they should not have access to the admin api / config file. I'm unfamiliar with the security model of the admin api, but my intuition is, that someone with admin api access is able to do everything APISIX could do. As a precaution, we could force APISIX to only load files owned by the same user the APISIX process is running as. This might be significantly limiting, as `chown` requires root permissions, and we might not want other users to `su` into the apisix user. Another approach would be explicit whitelisting of files (e.e, using a glob) in the APSIX server config file. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
