Bug #7443
Persistent files have unsafe permissions
100%
Description
I’ve seen /live/persistent/*/gnupg
and others having mode 0755. Likely this is due to live-boot copying permissions from the corresponding non-persistent files, when creating the persistent directories; combined with unsafe permissions in /etc/skel
.
Subtasks
Bug #7458: Fix unsafe file permissions on existing persistent volume | Resolved | 100 |
|||
Feature #7459: Create new persistent directories with safe permissions | Resolved | 100 |
|||
Feature #7460: Automatically test persistent directories permissions | Resolved | 100 |
Related issues
Related to Tails - Feature #7465: Test if the persistent filesystem's root directory needs to be world-readable | Confirmed | 2014-06-25 |
History
#1 Updated by intrigeri 2014-06-22 00:46:31
- Target version set to Tails_1.1
This seems important enough to warrant a fix in 1.1.
#2 Updated by intrigeri 2014-06-22 00:47:26
- Description updated
#3 Updated by anonym 2014-06-22 09:59:02
intrigeri wrote:
> In other words, my initial guess is that depends on what the umask of the person doing the ISO build is […]
Vagrant’s build script doesn’t set it, so it builds using a default umask of 0022
.
#4 Updated by intrigeri 2014-06-24 15:08:13
My current plan is to chmod -R go= /etc/skel/* /etc/skel/.*
in config/chroot_local-hooks/99-permissions
, so that all files created in /etc/skel
during the build have strict permissions.
#5 Updated by intrigeri 2014-06-25 07:30:14
- Status changed from Confirmed to In Progress
- Feature Branch set to bugfix/7443-persistent-files-permission
#6 Updated by intrigeri 2014-06-25 09:49:04
- % Done changed from 0 to 10
The chmod at build time trick only resolves the problem for persistent directories that already exist in /home/amnesia
at the time persistence gets enabled. Other directories are created by live-boot
’s activate_custom_mounts
function. Possibly the easiest fix for those ones would be to set a strict umask in live-persist
.
#7 Updated by intrigeri 2014-06-25 09:49:43
- Description updated
#8 Updated by intrigeri 2014-06-25 12:12:49
- related to Feature #7465: Test if the persistent filesystem's root directory needs to be world-readable added
#9 Updated by intrigeri 2014-06-27 16:31:55
- Assignee changed from intrigeri to anonym
- QA Check set to Ready for QA
#10 Updated by anonym 2014-07-01 18:45:21
- Status changed from In Progress to Fix committed
- Assignee deleted (
anonym) - QA Check changed from Ready for QA to Pass
#11 Updated by BitingBird 2014-07-22 22:47:10
- Status changed from Fix committed to Resolved