0.7.0 beta bug: Wrong ownership of config files is set
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
BleachBit |
Fix Released
|
Medium
|
Andrew Ziem |
Bug Description
Hello Andrew,
another bug - sorry :(
When you start bleachbit the first time it creates .config/ and .config/bleachbit/ and /root/.
When the files/directories already exists bleachbit doesn't change anything, so it's just at initial creation.
output at the console:
As root:
##
debug: makedirs(
debug: makedirs(
debug: chown(/
debug: chown(/
debug: chown(/
##
As normal user:
###
debug: makedirs(
debug: makedirs(
debug: chown(/
Traceback (most recent call last):
File "/usr/share/
os.chown(path, uid, -1)
OSError: [Errno 1] Die Operation ist nicht erlaubt: '/home/
debug: chown(/
Traceback (most recent call last):
File "/usr/share/
os.chown(path, uid, -1)
OSError: [Errno 1] Die Operation ist nicht erlaubt: '/home/
###
You see the German "Die Operation ist nicht erlaubt" which means in English "Operation not permitted". That's good and right because a normal user doesn't have the rights to change ownerships. But for root it works of course:
###
root@E6600 ~ # ls -lisa ~/ | grep .config
939158 4,0K drwx------ 3 100 root 4,0K 19. Okt 18:35 .config
###
###
root@E6600 ~ # ls -lisa ~/.config
insgesamt 12K
939158 4,0K drwx------ 3 100 root 4,0K 19. Okt 18:35 .
8572 4,0K drwxr-x--- 8 root root 4,0K 19. Okt 18:37 ..
939167 4,0K drwx------ 2 100 root 4,0K 19. Okt 18:35 bleachbit
###
###
root@E6600 ~ # ls -lisa ~/.config/bleachbit
insgesamt 12K
939167 4,0K drwx------ 2 100 root 4,0K 19. Okt 18:35 .
939158 4,0K drwx------ 3 100 root 4,0K 19. Okt 18:35 ..
939168 4,0K -rw-r--r-- 1 100 root 366 19. Okt 18:35 bleachbit.ini
###
That's just a no-go and a very big security issue. Please fix that before the final release of 0.7.0
Best regards
Changed in bleachbit: | |
status: | Fix Committed → Fix Released |
security vulnerability: | yes → no |
visibility: | private → public |
Changed in bleachbit: | |
importance: | Undecided → Medium |
> debug: chown(/ root/.config, uid=100)
You using sudo here, right?
>so it's just at initial creation.
The purpose of "chownself" (which I agree is malfunctioning) is to fix permissions when BleachBit first starts in 'sudo' mode. Without chownself, the files are owned by root in the user's home directory like /home/daniel/ .config/ bleachbit, so if you start BleachBit the second time without 'sudo', you cannot access the file.
>That's just a no-go and a very big security issue.
I'm glad to fix it, but I disagree on the risk. UID 100 should still not be able to access /root/. config/ bleachbit/ because /root/ has permissions 0700.