Project

General

Profile

Bug #7443

Persistent files have unsafe permissions

Added by intrigeri over 5 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
Persistence
Target version:
Start date:
06/25/2014
Due date:
% Done:

100%

Feature Branch:
bugfix/7443-persistent-files-permission
Type of work:
Code
Blueprint:
Starter:
No
Affected tool:

Description

I've seen /live/persistent/*/gnupg and others having mode 0755. Likely this is due to live-boot copying permissions from the corresponding non-persistent files, when creating the persistent directories; combined with unsafe permissions in /etc/skel.


Subtasks

Bug #7458: Fix unsafe file permissions on existing persistent volumeResolved

Feature #7459: Create new persistent directories with safe permissionsResolved

Feature #7460: Automatically test persistent directories permissionsResolved


Related issues

Related to Tails - Feature #7465: Test if the persistent filesystem's root directory needs to be world-readable Confirmed 06/25/2014

History

#1 Updated by intrigeri over 5 years ago

  • Target version set to Tails_1.1

This seems important enough to warrant a fix in 1.1.

#2 Updated by intrigeri over 5 years ago

  • Description updated (diff)

#3 Updated by anonym over 5 years ago

intrigeri wrote:

In other words, my initial guess is that depends on what the umask of the person doing the ISO build is [...]

Vagrant's build script doesn't set it, so it builds using a default umask of 0022.

#4 Updated by intrigeri over 5 years ago

My current plan is to chmod -R go= /etc/skel/* /etc/skel/.* in config/chroot_local-hooks/99-permissions, so that all files created in /etc/skel during the build have strict permissions.

#5 Updated by intrigeri over 5 years ago

  • Status changed from Confirmed to In Progress
  • Feature Branch set to bugfix/7443-persistent-files-permission

#6 Updated by intrigeri over 5 years ago

  • % Done changed from 0 to 10

The chmod at build time trick only resolves the problem for persistent directories that already exist in /home/amnesia at the time persistence gets enabled. Other directories are created by live-boot's activate_custom_mounts function. Possibly the easiest fix for those ones would be to set a strict umask in live-persist.

#7 Updated by intrigeri over 5 years ago

  • Description updated (diff)

#8 Updated by intrigeri over 5 years ago

  • Related to Feature #7465: Test if the persistent filesystem's root directory needs to be world-readable added

#9 Updated by intrigeri over 5 years ago

  • Assignee changed from intrigeri to anonym
  • QA Check set to Ready for QA

#10 Updated by anonym over 5 years ago

  • Status changed from In Progress to 11
  • Assignee deleted (anonym)
  • QA Check changed from Ready for QA to Pass

#11 Updated by BitingBird over 5 years ago

  • Status changed from 11 to Resolved

Also available in: Atom PDF