Shipping /etc/skel/.config makes dir world-readable for all users
Bug #1745929 reported by
Alkis Georgopoulos
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| ubuntu-mate-welcome (Ubuntu) |
Fix Released
|
Undecided
|
Martin Wimpress | ||
Bug Description
ubuntu-mate-welcome ships /etc/skel/
I reported in LP: #1672292 that it would be better to use /etc/xdg/autostart/ instead, but I just realized that this is also a security issue:
New users get world-readable .config directories because /etc/skel/.config is used as a template.
You can easily verify this even in the live CD, where /home/ubuntu-
The .config directory should be hidden by default, as applications may put sensitive data like passwords inside it.
A quick workaround for existing systems could be:
# rm -rf /etc/skel/.config
# chmod 700 /home/*/.config
Revision history for this message
| Marc Deslauriers (mdeslaur) wrote | #1 |
Revision history for this message
| Alkis Georgopoulos (alkisg) wrote | #2 |
Revision history for this message
| Marc Deslauriers (mdeslaur) wrote | #3 |
| information type: | Private Security → Public Security |
| Changed in ubuntu-mate-welcome (Ubuntu): | |
| status: | New → Confirmed |
| Changed in ubuntu-mate-welcome (Ubuntu): | |
| status: | Confirmed → Fix Committed |
| Changed in ubuntu-mate-welcome (Ubuntu): | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
Thanks for reporting this issue. Can I make this bug public?