[Pkg-xfce-devel] Bug#526880: Bug#526880: thunar: New directories get wrong permissions

[Yves-Alexis Perez]

On lun, 2009-05-04 at 10:23 +0200, Thomas Constans wrote:
> Package: thunar
> Version: 1.0.1-1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> 
> A new directory, created from Thunar, will have permission 777,
> bypassing umask value.

That's wrong, but I think you're bitten by the “daemon” status of
Thunar.

Can you try to:

- quit thunar (thunar -q)
- check that no thunar instance is running (ps aux | grep -i thunar)
- set the umask from your terminal (umask 077)
- run thunar (thunar)
- create a folder
- check the permissions

Here, it works perfectly fine, could you try?

I guess Thunar is run (from the session) before you set the umask. Then
if you run thunar from a terminal, after setting a umask, no new process
is created, it uses the already running one, so you don't have the
correct umask.

What you need is to set the umask before thunar is run, so it might be a
good idea to set it in .xsessionrc or in your initscript so all the
desktop benefits from it. (or you can create a wrapper for thunar if you
only want thunar to use it)

Cheers,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-xfce-devel/attachments/20090504/da293a21/attachment.pgp>