GNOME Bugzilla – Bug 792677
Creates .config directory with world readable permissions
Last modified: 2018-04-17 15:00:44 UTC
The bug was reported on https://bugs.launchpad.net/ubuntu/+source/session-migration/+bug/1735929 as a security sensitive problem It would be safer to have the user configuration to be "0700" (restricted access to the owner) https://git.gnome.org/browse/dconf/tree/service/dconf-keyfile-writer.c#n209 https://git.gnome.org/browse/dconf/tree/service/dconf-gvdb-utils.c#n177
Created attachment 370286 [details] [review] Create the directory not world readable
Review of attachment 370286 [details] [review]: This is a bit of whack-a-mole but it makes sense to try to fix each case I think. The XDG basedir spec <https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html> says "If, when attempting to write a file, the destination directory is non-existant an attempt should be made to create it with permission 0700". I'm not the maintainer but I think that desrt isn't so active ATM so marking this a-c_n is probably OK.
https://git.gnome.org/browse/dconf/commit/?id=e01be93304fdff9e4c5109ae50f1bc9e64524b0b