sources.list file created for ESM is world-readable, leaks subscriber token to all local users
Bug #1700611 reported by
Steve Langasek
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-advantage-script |
Fix Released
|
Unknown
|
|||
ubuntu-advantage-tools (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The sources.list.d entry for esm is created with the default umask, which means that all local users on the system have access to the token. Being able to read globally-readable files on the filesystem does not necessarily mean you are an ESM subscriber who should have access to this token and be able to access the ESM archive.
We should probably create this file mode 0600. (Though it is too late to fix this for precise.)
Changed in ubuntu-advantage-tools (Ubuntu): | |
status: | New → Incomplete |
Changed in ubuntu-advantage-tools (Ubuntu): | |
status: | New → Incomplete |
Changed in ubuntu-advantage-script: | |
status: | Unknown → Fix Released |
To post a comment you must log in.
Filed upstream: https:/ /github. com/CanonicalLt d/ubuntu- advantage- script/ issues/ 22