dx-packages team mailing list archive

Thread
Date

[Bug 1735929] Re: security problems with incorrect permissions for ubuntu 17.10

To: dx-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1735929@xxxxxxxxxxxxxxxxxx>
Date: Tue, 10 Apr 2018 19:59:38 -0000
Reply-to: Bug 1735929 <1735929@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package gnome-session - 3.28.1-0ubuntu1

---------------
gnome-session (3.28.1-0ubuntu1) bionic; urgency=medium

  * New upstream release
    - Don't create ~/.config as world-readable. (LP: #1735929)
  * Drop xsmp-don-t-check-for-HAVE_XTRANS.patch: Applied in new release

 -- Jeremy Bicha <jbicha@xxxxxxxxxx>  Tue, 10 Apr 2018 10:09:40 -0400

** Changed in: gnome-session (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to d-conf in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1735929

Title:
  security problems with incorrect permissions for ubuntu 17.10

Status in dconf:
  Confirmed
Status in gnome-session:
  Fix Released
Status in d-conf package in Ubuntu:
  Fix Released
Status in dconf package in Ubuntu:
  Triaged
Status in gnome-session package in Ubuntu:
  Fix Released
Status in session-migration package in Ubuntu:
  Fix Released
Status in d-conf source package in Bionic:
  Fix Released
Status in dconf source package in Bionic:
  Triaged
Status in gnome-session source package in Bionic:
  Fix Released
Status in session-migration source package in Bionic:
  Fix Released

Bug description:
  The release of Ubuntu you are using (lsb_release -rd):
  Description:	Ubuntu 17.10
  Release:	17.10

  This is a fresh installation of Ubuntu 17.10 from the mini.iso.
  I select only default options + [Ubuntu Desktop] installation.

  What you expected to happen:
  My home folder contains the following folders with correct and safe permissions after the first login:
  drwx------ 11 user user 4096 Dec  2 17:40 .config
  drwx------  3 user user 4096 Dec  2 17:39 .local

  What happened instead:
  I received these folders after the first login:
  drwxr-xr-x 11 user user 4096 Dec  2 17:40 .config
  drwxr-xr-x  3 user user 4096 Dec  2 17:39 .local
  It is not safe. Any user can access to my .config folders and read for example my mail databases

  I'm trying to create a new user...:
  sudo useradd -m user2
  sudo passwd user2
  ... and login then.
  It has the same problem:
  drwxr-xr-x 10 user2 user2 4096 Dec  2 19:44 .config
  drwxr-xr-x  3 user2 user2 4096 Dec  2 19:44 .local

To manage notifications about this bug go to:
https://bugs.launchpad.net/dconf/+bug/1735929/+subscriptions