Bug #7443: Persistent files have unsafe permissions

Bug #7443

Persistent files have unsafe permissions

Added by intrigeri 2014-06-22 00:46:01 . Updated 2014-07-22 22:47:10 .

Status:

Resolved

Priority:

High

Assignee:

Category:

Persistence

Target version:

Tails_1.1

Start date:

2014-06-25

Due date:

% Done:

100%

Feature Branch:

bugfix/7443-persistent-files-permission

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

I’ve seen /live/persistent/*/gnupg and others having mode 0755. Likely this is due to live-boot copying permissions from the corresponding non-persistent files, when creating the persistent directories; combined with unsafe permissions in /etc/skel.

Subtasks

Bug #7458: Fix unsafe file permissions on existing persistent volume

Resolved

100

Feature #7459: Create new persistent directories with safe permissions

Resolved

100

Feature #7460: Automatically test persistent directories permissions

Resolved

100

Related issues

Related to Tails - Feature #7465: Test if the persistent filesystem's root directory needs to be world-readable

Confirmed

2014-06-25

History

#1 Updated by intrigeri 2014-06-22 00:46:31

Target version set to Tails_1.1

This seems important enough to warrant a fix in 1.1.

#2 Updated by intrigeri 2014-06-22 00:47:26

Description updated

#3 Updated by anonym 2014-06-22 09:59:02

intrigeri wrote:
> In other words, my initial guess is that depends on what the umask of the person doing the ISO build is […]

Vagrant’s build script doesn’t set it, so it builds using a default umask of 0022.

#4 Updated by intrigeri 2014-06-24 15:08:13

My current plan is to chmod -R go= /etc/skel/* /etc/skel/.* in config/chroot_local-hooks/99-permissions, so that all files created in /etc/skel during the build have strict permissions.

#5 Updated by intrigeri 2014-06-25 07:30:14

Status changed from Confirmed to In Progress
Feature Branch set to bugfix/7443-persistent-files-permission

#6 Updated by intrigeri 2014-06-25 09:49:04

% Done changed from 0 to 10

The chmod at build time trick only resolves the problem for persistent directories that already exist in /home/amnesia at the time persistence gets enabled. Other directories are created by live-boot’s activate_custom_mounts function. Possibly the easiest fix for those ones would be to set a strict umask in live-persist.

#7 Updated by intrigeri 2014-06-25 09:49:43

Description updated

#8 Updated by intrigeri 2014-06-25 12:12:49

related to Feature #7465: Test if the persistent filesystem's root directory needs to be world-readable added

#9 Updated by intrigeri 2014-06-27 16:31:55

Assignee changed from intrigeri to anonym
QA Check set to Ready for QA

#10 Updated by anonym 2014-07-01 18:45:21

Status changed from In Progress to Fix committed
Assignee deleted (~~anonym~~)
QA Check changed from Ready for QA to Pass

#11 Updated by BitingBird 2014-07-22 22:47:10

Status changed from Fix committed to Resolved