Project

General

Profile

Bug #804

Quassel database should not be world-readable

Added by milian over 15 years ago. Updated about 15 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
-
Category:
Quassel Core
Target version:
-
Start date:
09/18/2009
Due date:
% Done:

100%

Estimated time:
Version:
0.4.2
OS:
Any

Description

In debian + ubuntu and I bet other distris as well, the quassel sqlite database has o+r set, which makes it possible for everyone with access to the PC to read the logs of anyone.

To reproduce:
ls l /var/cache/quassel/*.sqlite
-rw-r--r-
1 quasselcore quassel 38912 16. Sep 21:19 quassel-storage.sqlite

Expected result:
rw-r----

Quassel should notify me that the permissions of my sqlite database are not set properly and offer me to correct them.

Associated revisions

Revision 328b48e6 (diff)
Added by Daniel Albers about 15 years ago

core defaults to safer umask

Fixes #804

History

#1 Updated by dalbers about 15 years ago

Not Quassel's but package maintainers' responsibility in my opinion.

#2 Updated by milian about 15 years ago

I discussed it in #quassel before reporting, and there we came to the point that it was quassel's fault. Imo it's his job to create the DB and care for proper rights.

If you disagree, please at least make a public statement (on the planet?). I'd report it at the distro's I use, though there are so many. And this is a security risk on all of them.

#3 Updated by seezer about 15 years ago

I'll never manage to understand why most to all distributions use a default umask that keeps everything world readable.
I personally don't like any file in my home directory having o+r without setting that myself.
But then i'm no distro/package maintainer. Perhaps we can get some comments from ScottK or any other distro guy?

#4 Updated by dalbers about 15 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF