[Evolution] Bug#526409: Bug#526409: evolution: permissions on mailbox folders are set wrong

[Yves-Alexis Perez]

On ven, 2009-05-01 at 11:25 +1000, Tim Connors wrote:
> Package: evolution
> Version: 2.24.5-3
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> tconnors at denman:~$ l /home/maree/.evolution/mail/local/Sent
> -rw-r--r-- 1 maree maree 118474734 2009-05-01 08:16 /home/maree/.evolution/mail/local/Sent
> 
> Hmmm.  Would it be a good idea to set ~/.evolution to 700 perhaps?  Or
> just adopt a restrictive umask for the whole of evolution (mail being
> a rather more sensitive application than most)?
> 
> Many site policies are for home directories to be world or group
> readable, and trusting users not to be stupid with their permissions.
> Unfortunately this breaks down when the applications themselves are
> stupid.
> 
> This affects upstream as well, as verified by several installations of
> deadrat and the like installed over many years at work.

Are you saying that if you change .evolution permissions to 700, they
are set back to 744 after evolution run? Because they aren't here.

If you say that evolution should create folder/files with more
restrictive defaults, I disagree. evolution should just use what the
current umask is. If you want it to another value, just set it in you
environment before running evolution (isn't that the purpose of umask
anyway?). Multi-user systems running evolution aren't that frequent, I
guess (multi-user systems aren't that frequent anyway, these days) and
you can adjust the permissions for your ~ and .evolution in a lot of
different ways. No need to add complexity to that huge stack of code.

Cheers,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-evolution-maintainers/attachments/20090504/f9e88810/attachment-0001.pgp>