E1003 -- config.yaml is world-readable
Severity: ERROR. Run
chmod 600 ~/.controlzero/config.yamlto fix.
What happened
controlzero doctor found that ~/.controlzero/config.yaml has POSIX
permissions other than 0600 (owner-only read/write). The file holds
your Control Zero API key in plaintext, which is now readable to other
local users on the machine.
Why it matters
This is the same incident class as E1001 (API key in agent settings file). The key exposure here is on disk rather than echoed to stderr, but the consequences are identical:
- Any process running as another local user can read the key.
- Backup tools, log shippers, or shared filesystem snapshots may capture the key off-machine.
- A compromised package or browser extension running under any local user can exfiltrate it.
How to fix
chmod 600 ~/.controlzero/config.yaml
Then rotate the key in the dashboard (Settings -> API Keys ->
Revoke and create new) and update config.yaml with the new value.
The old key may already be in backups, swap files, or other on-disk
artifacts that the chmod cannot retroactively secure.
After the rotate + chmod, run controlzero doctor to confirm the
ERROR is gone.
When this happens
Most common causes:
- The file was created or restored by a backup tool that reset perms.
- A teammate with
sudorancontrolzero installas root and the file landed owned by root with permissive perms. - A pre-1.5.3 install path created the file before the explicit
chmod 0600was added.
controlzero install <agent> on 1.5.3+ sets 0600 on the file at
every install. If doctor keeps reporting this on a machine that
re-runs install, check whether something is resetting perms after
install.
Related
- E1001 -- API key found in agent settings file
- E1002 --
~/.controlzerodirectory is world-readable - E1004 -- API key found in shell history