GNOME Bugzilla – Bug 792675
Creates .config directory with world readable permissions
Last modified: 2018-04-09 09:28:18 UTC
The bug was reported on https://bugs.launchpad.net/ubuntu/+source/session-migration/+bug/1735929 as a security sensitive problem It would be safer to have the user configuration to be "0700" (restricted access to the owner) https://git.gnome.org/browse/gnome-session/tree/gnome-session/gsm-util.c#n98
sure, but the same could be said of the home directory itself... I mean isn't this more a question of default umask ?
Right, I think our security team would like to change the default for user directories as well, the current permissions have been choosed to allow local users to share content. Even if the issue exists with other directories there is no reason to not make the situation a bit better and restrict the access to the config directory right?
probably the best approach is to lock everything bug ~/Public down I'm pretty much okay with pushing a patch to change this (although not thrilled), if you got one, but it seems like it's fixing things in the wrong place.
Created attachment 370585 [details] [review] create the config directory as 700 Right, that's not a robust solution or the best way to solve that issue but it's an improvement over the current situation. Note that the directory was created with 0700 as permission on Ubuntu under Unity and our security team considers the change of permission as a regression. Thanks for considering the simple change, it shouldn't create any problem and makes things slightly better
Created attachment 370586 [details] [review] create the config directory as 700 (same without typo)
Review of attachment 370586 [details] [review]: sure, whatevers.
thanks commit 010d9dae