I’m not 100% certain of this as I’ve done a lot of things since I set this up but I have no recollection of changing the permissions on these folders, but the permissions on my userdata/etc
folder only have permissions for user openhab. This means no other user (beyond root and openhab) can cd to, ls, or open any file in that folder.
So the permissions of the files in that folder do not really matter. They could be 777 yet still only openhab and root can get to them.
Clearly, it would be better practice to also make the files inside that folder be only user readable as well but it isn’t a huge security problem since the parent directory protects them.
Though I might add that in my configuration, the file is indeed only user readable.
I did not create these files nor have I changed any permissions on these files. Before this posting I didn’t know that they existed. This is all OH’s doing. So perhaps you are running with an older version of OH 2 or a userdata folder created with an older version of OH before these permissions were made more secure.
As for the docs being out of date, it does indeed need to be updated with instructions. The current sed command only works if you have not yet logged in to the console.
According to this from Karaf, when encryption is enabled (which is clearly is now) upon first login Karaf will replace the plain text password with an encrypted/hashed version of the password.
With encryption enabled, the password are encrypted at the first time an user logs in. The encrypted passwords are prefixed and suffixed with {CRYPT}. To re-encrypt the password, you can reset the password in clear (in etc/users.properties file), without the {CRYPT} prefix and suffix. Apache Karaf will detect that this password is in clear (because it’s not prefixed and suffixed with {CRYPT}) and encrypt it again.
Also note that the link above has instructions for how to set up authentication by key instead of password.
So I’m not expert with sed so hesitate to recommend what the correct answer is (probably to manually edit so both cases can be handled with one instruction). Therefore I recommend:
sudo vi /var/lib/openhab2/etc/users.properties
Replace habopen
or {CRYPT}bldoijsa;ofdijawfgma{CRYPT}
with securePassword
.
Finally, in reference to your permissions concerns, the fact that the password is hashed with a pretty good hashing algorithm (SHA-256, see org.apache.karaf.jaas.cfg in the same folder as users.properties) makes me a little less concerned that the file is readable. Obviously I would want to know more about whether the passwords are properly salted, etc. before I would be fully comfortable with that file being that visible.
But ultimately, if you are that concerned about the security of your karaf consol login, you should use ssh keys instead of passwords anyway.
Created an Issue: