Bug #804
Quassel database should not be world-readable
100%
Description
In debian + ubuntu and I bet other distris as well, the quassel sqlite database has o+r set, which makes it possible for everyone with access to the PC to read the logs of anyone.
To reproduce:
ls l /var/cache/quassel/*.sqlite 1 quasselcore quassel 38912 16. Sep 21:19 quassel-storage.sqlite
-rw-r--r-
Expected result:rw-r----
Quassel should notify me that the permissions of my sqlite database are not set properly and offer me to correct them.
Associated revisions
History
#1 Updated by dalbers over 14 years ago
Not Quassel's but package maintainers' responsibility in my opinion.
#2 Updated by milian over 14 years ago
I discussed it in #quassel before reporting, and there we came to the point that it was quassel's fault. Imo it's his job to create the DB and care for proper rights.
If you disagree, please at least make a public statement (on the planet?). I'd report it at the distro's I use, though there are so many. And this is a security risk on all of them.
#3 Updated by seezer over 14 years ago
I'll never manage to understand why most to all distributions use a default umask that keeps everything world readable.
I personally don't like any file in my home directory having o+r without setting that myself.
But then i'm no distro/package maintainer. Perhaps we can get some comments from ScottK or any other distro guy?
#4 Updated by dalbers over 14 years ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
Applied in changeset 328b48e6fbd78d6158eb55296c0843fc5a41bcfa.
core defaults to safer umask
Fixes #804