Hi,
I have just installed last version with docker.
I have enabled the admin page and made some configuration (smtp).
After that I can see a config.json with all my config (and my smtp password in plain text) in the data folder. Every file in this directory is world readable, including the config.json. The stmp password is thus readable by everyone who access my system (ok nobody except me should access to it!).
Is this a feature?
Thanks!
So nobody can take a look a its config.json file?
Thanks!
nobody? maybe from the developer itself?
Hi @m121 thanks for the bump, missed this post.
This appears to be similar to a related post.
The config.json file is simply plain-text. It is up to you to ensure the directory is not publically accessible through some configuration mishap (I have seen this here before) and that the files have pretty standard file level permissions for a vw-user service account of some kind.
Best practice would be to have a directory owned by a specific service user, have docker rootless run for that user with your Vaultwarden instance running as that user.
Even going so far as to have the /admin interface on some type of WAF reverse proxy and only restrict access for internal and VPN connectivity.
But that starts to get out of scope of this post.
Hope this info helps
Hi,
Thanks for your answer. As config.json is created by vaultwarden, I thought it could, at least, not be created as world readable. Maybe the docker volume should also be created with correct permissions. But I am not an expert of docker 
I have already changed the permissions by myself.
Thanks