Related to #52.
The current acquisition output uses default permissions which are more permissive than necessary for forensic evidence.
There are two phases to consider:
- During acquisition: directories are now created with 0o755 and files with 0o644. Changing these to 0o700 for directories and 0o600 for files, enough for the tool to write, but no group/world access.
- After lockdown (HashFiles): files already go to 0o400, but directories remain at their original permissions. They should go to 0o500 to complete the protection and owner being able to read and enter, but not add/delete/rename files.
Before submitting a PR, I would like to discuss:
- Are there known consumers that rely on current permissions? (For example, tools or scripts that expect group or world readable access to the acquisition folder?)
- Should the final lockdown also cover directories with 0o500 via a second walk after files are locked?
Happy to submit a patch if the approach makes sense.
Related to #52.
The current acquisition output uses default permissions which are more permissive than necessary for forensic evidence.
There are two phases to consider:
Before submitting a PR, I would like to discuss:
Happy to submit a patch if the approach makes sense.