budgie-remix-bug-busters team mailing list archive
-
budgie-remix-bug-busters team
-
Mailing list archive
-
Message #01231
[Bug 2040045] Re: Screenshot could allow image data to be accessible to multiple users
Ubuntu 23.10 (Mantic Minotaur) has reached end of life, so this bug will
not be fixed for that specific release.
** Changed in: budgie-desktop (Ubuntu Mantic)
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of ubuntu
budgie bug busters, which is subscribed to budgie-desktop in Ubuntu.
https://bugs.launchpad.net/bugs/2040045
Title:
Screenshot could allow image data to be accessible to multiple users
Status in budgie-desktop package in Ubuntu:
Fix Released
Status in budgie-desktop source package in Lunar:
Won't Fix
Status in budgie-desktop source package in Mantic:
Won't Fix
Status in budgie-desktop source package in Noble:
Fix Released
Bug description:
[ Impact ]
* Analysis by upstream for budgie-desktop has noted that the use of
/tmp to pass screenshot images between the server and client dbus
elements of budgie-desktop could allow another user sharing the same
machine to access the temporary image that was captured on another
users session.
This has been resolved by not using an accessible folder location such
as /tmp to pass data. Instead a user-space location is used which is
not accessible to other users.
Upstream have resolved this in their v10.8.2 release. This issue is
suitable to be backported to supported Ubuntu releases that
incorporate this screenshot capability
[ Test Plan ]
* Since this issue has now switched the stored location to user-space the test plan needs to:
a) ensure the existing screenshot capability works as expected;
b) verify that /tmp is NOT being used and that the transitory files are being written to the user-space locations i.e. $XDG_RUNTIME_DIR or $HOME are being used instead.
Use the following notify script (save as ~/notifydir.sh and chmod +x
~/notifydir.sh) to watch a folder - run it in three tilix sessions:
#!/bin/bash
monitor_path="$1"
inotifywait -m "$monitor_path" -e create -e moved_to |
while read path action file; do
echo "The file '$file' appeared in directory '$path' via '$action'"
ls -la "$path/$file"
done
i.e. in session 1 run ~/notifydir.sh /tmp
in session 2 run ~/notifydir.sh $XDG_RUNTIME
in session 3 run ~/notifydir.sh $HOME
1. From the menu launch budgie-screenshot and take a screenshot of the screen
2. Save the image and open the image via nemo - double clicking the image will open in a picture editor such as gthumb
3. Repeat for taking a picture of a window and and area.
4. Repeat the whole screen screenshot by pressing the keyboard printscreen key
For all of the above examine the tilix sessions. Session 1 should not
show temporary screenshot files being written in /tmp (format
.budgiescreenshot_tempfile). Note you will see other temporary files
for the operating system in general but that should be expected
Session 2 for UB should show screenshot files being written (format
.budgiescreenshot_tempfile).
Session 3 for UB should not show any screenshot files being written
(format .budgiescreenshot_tempfile). This is as expected because UB
should not normally use the fallback folder.
[ Where problems could occur ]
* The issue is specific to budgie-desktop users only and is limited to one specific capability of budgie i.e. its screenshot capability.
* If the user space locations - XDG_RUNTIME_DIR or HOME do not exist then the screenshot capability will not capture the image. It is considered that it is highly unlikely that a budgie-desktop user will be attempting to run a session without a HOME folder location i.e. the ultimately fallback screenshot requires.
[ Other Info ]
* None.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/budgie-desktop/+bug/2040045/+subscriptions
