After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 792677 - Creates .config directory with world readable permissions
Creates .config directory with world readable permissions
Status: RESOLVED FIXED
Product: dconf
Classification: Core
Component: dconf
git master
Other Linux
: Normal normal
: ---
Assigned To: dconf-maint
dconf-maint
Depends on:
Blocks:
 
 
Reported: 2018-01-19 10:28 UTC by Sebastien Bacher
Modified: 2018-04-17 15:00 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
Create the directory not world readable (1.40 KB, patch)
2018-03-29 09:03 UTC, Sebastien Bacher
committed Details | Review

Description Sebastien Bacher 2018-01-19 10:28:24 UTC
The bug was reported on https://bugs.launchpad.net/ubuntu/+source/session-migration/+bug/1735929 as a security sensitive problem

It would be safer to have the user configuration to be "0700" (restricted access to the owner)

https://git.gnome.org/browse/dconf/tree/service/dconf-keyfile-writer.c#n209
https://git.gnome.org/browse/dconf/tree/service/dconf-gvdb-utils.c#n177
Comment 1 Sebastien Bacher 2018-03-29 09:03:35 UTC
Created attachment 370286 [details] [review]
Create the directory not world readable
Comment 2 Iain Lane 2018-04-13 10:46:51 UTC
Review of attachment 370286 [details] [review]:

This is a bit of whack-a-mole but it makes sense to try to fix each case I think.

The XDG basedir spec <https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html> says "If, when attempting to write a file, the destination directory is non-existant an attempt should be made to create it with permission 0700".

I'm not the maintainer but I think that desrt isn't so active ATM so marking this a-c_n is probably OK.