GNOME Bugzilla – Bug 581604
Permissions on mail/local folders are too open
Last modified: 2010-03-25 10:01:08 UTC
Please describe the problem: Hi, it seems that the default permissions on the local mail folders are set to 755, which means that, by default, other users on the systems might be able to read one's mail. At least imap mail folder is 700, but local, config, vfolder and views are 755, so it'd be nice to have a consistent scheme. Same would apply to .evolution and .evolution/{mail,addressbook,calendar,…} Steps to reproduce: 1. 2. 3. Actual results: Expected results: Does this happen every time? Other information:
Adding links for reference. CVE links: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1631 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1631 Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526409 RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=498648 Gentoo: https://bugs.gentoo.org/show_bug.cgi?id=270334
As I stated in the Red Hat bug, I don't think this warrants a CVE. It's only an issue if you open up your home directory to other users, and in doing so you've already lost any security or privacy guarantees. In any case, the best we can do for existing installs is reset the ~/.evolution permissions to 700.
That and for the various subfolders, I guess it's not really costly. What's the status on this one? on 2.28 it seems the existing permissions aren't reset (not sure about the new ones)
Created attachment 151934 [details] [review] evo part of the patch If the permissions for ~/.evolution is open, it changes the permissions for all internal folders else skip.
Created attachment 151935 [details] [review] eds part of the changes
Thanks for taking care of this, Chen! Both patches look good.
thanks matt :) pushed to master. will push it to stable branch as well.
Does this means it'll be in 2.30?
YVes, yes.
Fixed as per comment #7 No use pushing it to 2.28.x Works good on 2.30.x Closing