Bug #7443

Persistent files have unsafe permissions

Added by intrigeri 2014-06-22 00:46:01 . Updated 2014-07-22 22:47:10 .

Status:
Resolved
Priority:
High
Assignee:
Category:
Persistence
Target version:
Start date:
2014-06-25
Due date:
% Done:

100%

Feature Branch:
bugfix/7443-persistent-files-permission
Type of work:
Code
Blueprint:

Starter:
0
Affected tool:
Deliverable for:

Description

I’ve seen /live/persistent/*/gnupg and others having mode 0755. Likely this is due to live-boot copying permissions from the corresponding non-persistent files, when creating the persistent directories; combined with unsafe permissions in /etc/skel.


Subtasks

Bug #7458: Fix unsafe file permissions on existing persistent volume Resolved

100

Feature #7459: Create new persistent directories with safe permissions Resolved

100

Feature #7460: Automatically test persistent directories permissions Resolved

100


Related issues

Related to Tails - Feature #7465: Test if the persistent filesystem's root directory needs to be world-readable Confirmed 2014-06-25

History

#1 Updated by intrigeri 2014-06-22 00:46:31

  • Target version set to Tails_1.1

This seems important enough to warrant a fix in 1.1.

#2 Updated by intrigeri 2014-06-22 00:47:26

  • Description updated

#3 Updated by anonym 2014-06-22 09:59:02

intrigeri wrote:
> In other words, my initial guess is that depends on what the umask of the person doing the ISO build is […]

Vagrant’s build script doesn’t set it, so it builds using a default umask of 0022.

#4 Updated by intrigeri 2014-06-24 15:08:13

My current plan is to chmod -R go= /etc/skel/* /etc/skel/.* in config/chroot_local-hooks/99-permissions, so that all files created in /etc/skel during the build have strict permissions.

#5 Updated by intrigeri 2014-06-25 07:30:14

  • Status changed from Confirmed to In Progress
  • Feature Branch set to bugfix/7443-persistent-files-permission

#6 Updated by intrigeri 2014-06-25 09:49:04

  • % Done changed from 0 to 10

The chmod at build time trick only resolves the problem for persistent directories that already exist in /home/amnesia at the time persistence gets enabled. Other directories are created by live-boot’s activate_custom_mounts function. Possibly the easiest fix for those ones would be to set a strict umask in live-persist.

#7 Updated by intrigeri 2014-06-25 09:49:43

  • Description updated

#8 Updated by intrigeri 2014-06-25 12:12:49

  • related to Feature #7465: Test if the persistent filesystem's root directory needs to be world-readable added

#9 Updated by intrigeri 2014-06-27 16:31:55

  • Assignee changed from intrigeri to anonym
  • QA Check set to Ready for QA

#10 Updated by anonym 2014-07-01 18:45:21

  • Status changed from In Progress to Fix committed
  • Assignee deleted (anonym)
  • QA Check changed from Ready for QA to Pass

#11 Updated by BitingBird 2014-07-22 22:47:10

  • Status changed from Fix committed to Resolved