Skip to content

backups: Backup data on disk can be read by any user

root@freedombox:/var/lib/plinth/backups-data# ls -al
total 40808
drwxr-xr-x 1 root   root        134 Nov 12 04:37 .
drwxr-xr-x 1 plinth plinth      156 Dec  6 09:22 ..
-rw-r--r-- 1 root   root        597 Dec  6 06:00 dynamicdns-settings.json
-rw-r--r-- 1 root   root   14438023 Nov 12 04:37 miniflux-database.sql
-rw-r--r-- 1 root   root   27333396 Dec  6 06:00 nextcloud-database.sql

I expect the database dumps have password hashes, rather than passwords, in most cases. But in the case of DynamicDNS settings, it does have a plaintext password.