fix(security): restrict biometric model file permissions to root-only

howdy/debian/postinst

@@ -189,6 +189,13 @@ print("CNN saved to config, CUDA " + ("enabled" if cuda_used else "disabled"))
 handleStatus(sc(["chmod 755 -R /lib/security/howdy/"], shell=True))
 handleStatus(sc(["chmod 755 -R /etc/howdy/"], shell=True))
 
+# Restrict biometric model files to root only
+models_dir = "/etc/howdy/models"
+if os.path.isdir(models_dir):
+	os.chmod(models_dir, 0o700)
+	for f in os.listdir(models_dir):
+		os.chmod(os.path.join(models_dir, f), 0o600)
+
 # Allow anyone to execute the python CLI
 os.chmod("/lib/security/howdy", 0o755)
 os.chmod("/lib/security/howdy/cli.py", 0o755)

howdy/src/cli/add.py

@@ -56,7 +56,7 @@
 # Make the ./models folder if it doesn't already exist
 if not os.path.exists(paths_factory.user_models_dir_path()):
 	print(_("No face model folder found, creating one"))
-	os.makedirs(paths_factory.user_models_dir_path())
+	os.makedirs(paths_factory.user_models_dir_path(), mode=0o700)
 
 # To try read a premade encodings file if it exists
 try:
@@ -209,6 +209,9 @@
 with open(enc_file, "w") as datafile:
 	json.dump(encodings, datafile)
 
+# Restrict permissions so only root can read the biometric model
+os.chmod(enc_file, 0o600)
+
 # Give let the user know how it went
 print(_("""\nScan complete
 Added a new model to """) + user)

howdy/src/cli/remove.py

@@ -86,4 +86,7 @@
 	with open(enc_file, "w") as datafile:
 		json.dump(new_encodings, datafile)
 
+	# Maintain restrictive permissions on the biometric model file
+	os.chmod(enc_file, 0o600)
+
 	print(_("Removed model {}").format(id))