World-writable configuration files in /etc/config

On my RUT241 some of the configuration files in /etc/config are world-writable, which is quite worrying since any runaway process or hacking attempt can easily manipulate e.g. the firewall configuration:

BusyBox v1.34.1 (2025-03-20 06:46:32 UTC) built-in shell (ash)

     ____        _    ___  ____
    |  _ \ _   _| |_ / _ \/ ___|
    | |_) | | | | __| | | \___ \
    |  _ <| |_| | |_| |_| |___) |
    |_| \_\\__,_|\__|\___/|____/
-------------------------------------
     Teltonika RUT2M series 2025
-------------------------------------
   Device:     RUT241
   Kernel:     5.15.176
   Firmware:   RUT2M_R_00.07.13.3
   Build:      4321ec06d76
   Build date: 2025-03-20 15:59:57
-------------------------------------
root@RUT241:~# ls -l /etc/config
-rw-r--r--    1 root     root           299 Mar 20 06:46 buttons
-rw-rw-rw-    1 mobutils mobutils        63 Mar 20 06:46 call_utils
-rw-------    1 root     root           129 Mar 20 06:46 cli
-rw-r--r--    1 root     root            48 Mar 20 06:46 data_sender
-rw-------    1 root     root            43 Mar 20 06:46 dfota
-rw-------    1 dnsmasq  dnsmasq        642 Mar 20 06:46 dhcp
-rw-------    1 root     root           212 Mar 20 06:46 dropbear
-rw-------    1 root     root            49 Mar 20 06:46 event_juggler
-rw-rw-rw-    1 network  network       3905 Mar 20 06:46 firewall
-rw-r--r--    1 iosch    iosch           47 Mar 20 06:46 io_scheduler
-rw-r--r--    1 root     root           194 Jun 10 14:36 ioman
-rw-------    1 root     root           134 Mar 20 06:46 ip_blockd
-rw-------    1 root     root            82 Mar 20 06:46 ipsec
-rwxr-xr-x    1 root     root           155 Mar 20 06:46 mdcollectd
-rw-------    1 root     root            71 Mar 20 06:46 multi_wifi
-rw-rw-rw-    1 network  network       1353 Mar 20 06:46 mwan3
-rw-rw-rw-    1 network  network       1431 Mar 20 06:46 network
-rw-------    1 ntpclien ntpclien       399 Mar 20 06:46 ntpclient
-rwxr-xr-x    1 root     root            51 Mar 20 06:46 ntpserver
-rw-r--r--    1 root     root            46 Mar 20 06:46 openssl
-rw-------    1 root     root             0 Mar 20 06:46 openvpn
-rw-rw-rw-    1 gsm      gsm            308 Mar 20 06:46 operctl
-rw-r--r--    1 root     root             0 Mar 20 06:46 overview
-rwxr-xr-x    1 root     root            61 Mar 20 06:46 package_restore
-rw-r--r--    1 root     root           159 Mar 20 06:46 password_policy
-rw-r--r--    1 root     root            40 Mar 20 06:46 periodic_reboot
-rw-r--r--    1 root     root           228 Mar 20 06:46 ping_reboot
-rw-------    1 root     root             0 Mar 20 06:46 pptpd
-rw-------    1 root     root           216 Jun 10 14:34 profiles
-rw-rw-rw-    1 network  network         30 Mar 20 06:46 quota_limit
-rwxr-xr-x    1 root     root           940 Jun 10 14:36 rms_mqtt
-rw-------    1 root     root          2051 Mar 20 06:46 rpcd
-rw-------    1 root     root           144 Mar 20 06:46 rut_fota
-rw-rw-rw-    1 gsm      gsm             54 Mar 20 06:46 sim_switch
-rw-rw-rw-    1 gsm      gsm            155 Mar 20 06:46 simcard
-rw-rw-rw-    1 mobutils mobutils       551 Mar 20 06:46 sms_gateway
-rw-rw-rw-    1 mobutils mobutils      6160 Jun 10 14:36 sms_utils
-rw-r--r--    1 root     root           832 Jun 10 14:36 system
-rw-------    1 root     root          1349 Mar 20 06:46 uhttpd
-rw-r--r--    1 root     root             0 Mar 20 06:46 user_groups
-rwxr-xr-x    1 root     root           265 Mar 20 06:46 vuci
-rw-r--r--    1 root     root             0 Mar 20 06:46 widget
-rw-------    1 root     root           456 Mar 20 06:46 wireless
-rw-r--r--    1 root     root             0 Mar 20 06:46 xl2tpd

The current firmware version RUT2M_R_00.07.15 has more world-writable files, among them the SSH server configuration, which is even more troubling:

BusyBox v1.34.1 (2025-06-04 10:34:44 UTC) built-in shell (ash)

    ____        _    ___  ____
   |  _ \ _   _| |_ / _ \/ ___|
   | |_) | | | | __| | | \___ \
   |  _ <| |_| | |_| |_| |___) |
   |_| \_\\__,_|\__|\___/|____/
-----------------------------------
    Teltonika RUT2M series 2025
-----------------------------------
   Device:     RUT241
   Kernel:     5.15.180
   Firmware:   RUT2M_R_00.07.15
   Build:      18a177b964b
   Build date: 2025-06-04 13:00:37
-----------------------------------
root@RUT241:~# ls -l /etc/config/
-rw-r--r--    1 root     root           299 Mar 20 06:46 buttons
-rw-rw-r--    1 mobutils mobutils        63 Mar 20 06:46 call_utils
-rw-rw----    1 certific certific       223 Jun 10 14:37 certificates
-rw-rw-rw-    1 shellina shellina       129 Mar 20 06:46 cli
-rw-rw-r--    1 ds       ds              48 Mar 20 06:46 data_sender
-rw-------    1 dfota    dfota           43 Mar 20 06:46 dfota
-rw-rw-rw-    1 dnsmasq  dnsmasq        642 Mar 20 06:46 dhcp
-rw-rw-rw-    1 dropbear dropbear       212 Mar 20 06:46 dropbear
-rw-rw-r--    1 juggler  juggler         49 Mar 20 06:46 event_juggler
-rw-rw-rw-    1 network  network       3905 Jun 10 14:37 firewall
-rw-r--r--    1 1003     1003            47 Mar 20 06:46 io_scheduler
-rw-rw-rw-    1 ioman    ioman          194 Jun 10 14:36 ioman
-rw-rw-rw-    1 ip_block ip_block       134 Mar 20 06:46 ip_blockd
-rw-------    1 root     root            82 Mar 20 06:46 ipsec
-rw-rw-rw-    1 mdcollec mdcollec       155 Mar 20 06:46 mdcollectd
-rw-rw-rw-    1 root     root            71 Mar 20 06:46 multi_wifi
-rw-rw-rw-    1 network  network       1353 Mar 20 06:46 mwan3
-rw-rw----    1 network  network       1431 Mar 20 06:46 network
-rw-rw-r--    1 ntpclien ntpclien       399 Mar 20 06:46 ntpclient
-rwxr-xr-x    1 ntp      ntp             51 Mar 20 06:46 ntpserver
-rw-r--r--    1 root     root            46 Mar 20 06:46 openssl
-rw-rw-r--    1 openvpn  openvpn          0 Mar 20 06:46 openvpn
-rw-rw----    1 gsm      gsm            308 Mar 20 06:46 operctl
-rw-r--r--    1 root     root             0 Mar 20 06:46 overview
-rwxr-xr-x    1 root     root            61 Mar 20 06:46 package_restore
-rw-r--r--    1 root     root           159 Mar 20 06:46 password_policy
-rw-rw-r--    1 preboot  preboot         40 Mar 20 06:46 periodic_reboot
-rw-rw-r--    1 preboot  preboot        228 Mar 20 06:46 ping_reboot
-rw-------    1 root     root             0 Mar 20 06:46 pptpd
-rw-rw-rw-    1 profiler profiler       216 Jun 10 14:34 profiles
-rw-rw-rw-    1 network  network         30 Mar 20 06:46 quota_limit
-rw-rw-rw-    1 rms      rms            940 Jun 10 14:46 rms_mqtt
-rw-rw-rw-    1 rpcd     rpcd          2051 Jun 10 14:36 rpcd
-rw-rw-rw-    1 rut_fota rut_fota       144 Mar 20 06:46 rut_fota
-rw-rw----    1 gsm      gsm             54 Mar 20 06:46 sim_switch
-rw-rw----    1 gsm      gsm            155 Mar 20 06:46 simcard
-rw-rw-r--    1 mobutils mobutils       551 Jun 10 14:37 sms_gateway
-rw-rw-r--    1 mobutils mobutils      6160 Jun 10 14:36 sms_utils
-rw-rw-r--    1 root     system         849 Jun 10 14:46 system
-rw-rw-r--    1 uhttpd   uhttpd        1349 Mar 20 06:46 uhttpd
-rw-r--r--    1 root     root             0 Mar 20 06:46 user_groups
-rwxr-xr-x    1 root     root           265 Mar 20 06:46 vuci
-rw-r--r--    1 root     root             0 Mar 20 06:46 widget
-rw-rw----    1 network  network        456 Mar 20 06:46 wireless
-rw-r--r--    1 xl2tpd   xl2tpd           0 Mar 20 06:46 xl2tpd

Also, why some of these configuration files have executable permission is anyone’s guess. They really should not be.

Possibly related are the following errors that appear when restoring a backup from the command line:

root@RUT241:/usr/local/home/root# sysupgrade -r /tmp/backup.tar.gz
Tue Jun 10 14:56:06 UTC 2025 upgrade: Restoring config files...
Command failed: Not found
cp: can't stat '': No such file or directory
sh: /lib/functions/backup.sh: line 310: can't open : no such file
cp: can't stat '': No such file or directory
sh: /lib/functions/backup.sh: line 310: can't open : no such file
cp: can't stat '/tmp/passwd_merged': No such file or directory
cp: can't stat '/tmp/shadow_merged': No such file or directory
Error: Failed to set ownership for /etc/shadow
Error: Failed to set ownership for /etc/config/event_juggler
Error: Failed to set ownership for /etc/config/ntpclient
Error: Failed to set ownership for /etc/config/data_sender
Error: Failed to set ownership for /etc/config/periodic_reboot
Error: Failed to set ownership for /etc/config/ping_reboot
Error: Failed to set ownership for /etc/rms_mqtt
Error: Failed to set ownership for /etc/config/uhttpd
Error: Failed to set ownership for /etc/config/openvpn
Error: Failed to set ownership for /etc/xl2tpd
Error: Failed to set ownership for /tmp/resolv.conf.ppp
Error: Failed to set ownership for /etc/ppp
Error: Failed to set ownership for /etc/config/ioman
Error: Failed to set ownership for /etc/config/certificates
Error: Failed to set ownership for /etc/config/dropbear
Error: Failed to set ownership for /etc/config/ip_blockd
Error: Failed to set ownership for /usr/local/share/ip_block
Error: Failed to set ownership for /usr/local/lib/mdcollectd
Error: Failed to set ownership for /usr/local/lib/mdcollectd/mdcollectd.db_new.gz
Warning: Path does not exist: /tmp/.uci/sim_switch
Warning: Path does not exist: /tmp/.uci/simcard
Error: Failed to set ownership for /etc/config/operctl
Error: Failed to set ownership for /etc/config/simcard
Error: Failed to set ownership for /etc/config/sim_switch
Error: Failed to set ownership for /etc/lpac_config.json
Error: Failed to set ownership for /tmp/mobile
Error: Failed to set ownership for /etc/config/sms_gateway
Error: Failed to set ownership for /etc/config/call_utils
Error: Failed to set ownership for /etc/config/sms_utils
Error: Failed to set ownership for /etc/config/profiles
Error: Failed to set ownership for /etc/config/rpcd
Error: Failed to set ownership for /etc/config/rut_fota
Error: Failed to set ownership for /etc/TN_RUT_FOTA_CA.pem

Hello,

To clarify, all files within /etc/config/ are system configuration files that have always been writable by the root user. The permission settings you’re seeing reflect the ownership and access rights required by various system processes and applications to manage their respective configurations.

Regarding the sysupgrade process and the errors you encountered while restoring a backup, could you please confirm whether the backup was generated on the identical RUT241 device using the same firmware version, or at least an older one? It’s important to note that backup files created on devices running newer firmware cannot be reliably restored to devices with older firmware versions.

If any additional questions come up, please don’t hesitate to reach out.

Best regards,

To clarify, all files within /etc/config/ are system configuration files that have always been writable by the root user. The permission settings you’re seeing reflect the ownership and access rights required by various system processes and applications to manage their respective configurations.

Thank you for the explanation, but it is not necessary. I have decades of experience working with Unix systems.

The permission settings I am seeing do not reflect requirements, they are a symptom of insecure system design. The SSH server configuration must never be world-writable.

Regarding the sysupgrade process and the errors you encountered while restoring a backup, could you please confirm whether the backup was generated on the identical RUT241 device using the same firmware version, or at least an older one? It’s important to note that backup files created on devices running newer firmware cannot be reliably restored to devices with older firmware versions.

This is a RUT241 directly after a factory reset. I created and then restored a backup and get many of the same errors:

BusyBox v1.34.1 (2025-06-04 10:34:44 UTC) built-in shell (ash)

    ____        _    ___  ____
   |  _ \ _   _| |_ / _ \/ ___|
   | |_) | | | | __| | | \___ \
   |  _ <| |_| | |_| |_| |___) |
   |_| \_\\__,_|\__|\___/|____/
-----------------------------------
    Teltonika RUT2M series 2025
-----------------------------------
   Device:     RUT241
   Kernel:     5.15.180
   Firmware:   RUT2M_R_00.07.15
   Build:      18a177b964b
   Build date: 2025-06-04 13:00:37
-----------------------------------
root@RUT241:~# sysupgrade -b /tmp/backup.tar.gz
Wed Jun  4 10:38:09 UTC 2025 upgrade: Saving config files...

root@RUT241:~# sysupgrade -r /tmp/backup.tar.gz
Wed Jun  4 10:38:16 UTC 2025 upgrade: Restoring config files...
cp: can't stat '': No such file or directory
sh: /lib/functions/backup.sh: line 310: can't open : no such file
cp: can't stat '': No such file or directory
sh: /lib/functions/backup.sh: line 310: can't open : no such file
cp: can't stat '/tmp/passwd_merged': No such file or directory
cp: can't stat '/tmp/shadow_merged': No such file or directory

The existence of this significant security problem as well as the reluctance of your support team to understand and communicate the problem to the engineering team raises significant concerns about whether this Teltonika product is fit for enterprise adoption and if we should continue to deploy and recommend the product to our teams and customers.

Problems like this are not to be explained away. They exist and need to be fixed. This is a networking product bridging untrusted and and trusted networks. At the network boundary especially, hollowing out the product’s security by weakening the system integrity is undeniably a significant security concern.

Good afternoon,

Thank you very much for sharing your insights and for raising your concerns regarding the world-writable configuration files and related security implications.

Please be assured that your observations have been forwarded to our R&D development team for thorough review and analysis. I will follow up and get back to you as soon as we have any feedback or updates regarding this matter.

Thank you for your patience and understanding.

Best regards,

Hello,

Thank you for your patience.

Regarding the issue with the backup, our R&D team has confirmed that this will be addressed in the upcoming 7.15.1 hotfix, which is expected to be released soon.

As for the configuration files having read/write permissions for others, the R&D team is already aware of this and has been actively working toward removing root access for configuration management. This is part of an ongoing effort to further strengthen system integrity, and it’s planned to be fully resolved with the 7.17 release.

We sincerely appreciate your input, understanding, and patience.

Best regards,