Tmp directory and files should not be world readable

Bug #785495 reported by Simon Déziel on 2011-05-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sbackup (Debian)
New
Unknown
sbackup (Ubuntu)
Wishlist
Unassigned

Bug Description

Binary package hint: sbackup

When running a backup job, sbackup creates a directory (/tmp/sbackup) where is stores 3 files :

$ ls -l /tmp/sbackup
total 16
-rw-r--r-- 1 root admin 11890 2011-05-19 21:27 excludes.list
-rw-r--r-- 1 root admin 0 2011-05-19 21:27 files.snar
-rw-r--r-- 1 root admin 10 2011-05-19 21:27 includes.list

Those files should not be world readable as they may contain file listing that is meant to be private. This is nothing very important but I think this information should still be kept private.

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: sbackup 0.11.4-0ubuntu2
ProcVersionSignature: Ubuntu 2.6.38-9.43-generic 2.6.38.4
Uname: Linux 2.6.38-9-generic x86_64
Architecture: amd64
Date: Thu May 19 21:32:29 2011
PackageArchitecture: all
ProcEnviron:
 LANGUAGE=en_CA:en
 LANG=en_US.UTF-8
 LC_MESSAGES=en_CA.UTF-8
 SHELL=/bin/bash
SourcePackage: sbackup
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

Simon Déziel (sdeziel) wrote :
Simon Déziel (sdeziel) wrote :

$ lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04

$ apt-cache policy sbackup
sbackup:
  Installed: 0.11.4-0ubuntu2
  Candidate: 0.11.4-0ubuntu2
  Version table:
 *** 0.11.4-0ubuntu2 0
        500 http://ca.archive.ubuntu.com/ubuntu/ natty/universe amd64 Packages
        100 /var/lib/dpkg/status

Simon Déziel (sdeziel) wrote :

Here is a quick fix that chmod 0700 the tmp directory.

tags: added: patch
Daniel T Chen (crimsun) on 2011-07-20
Changed in sbackup (Ubuntu):
importance: Undecided → Wishlist
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sbackup - 0.11.4-0ubuntu4

---------------
sbackup (0.11.4-0ubuntu4) oneiric; urgency=low

  * Apply patch from Simon Déziel to make the temp directory
    RWX only by owner instead of by all. (LP: #785495)
 -- Daniel T Chen <email address hidden> Wed, 20 Jul 2011 13:41:22 -0400

Changed in sbackup (Ubuntu):
status: New → Fix Released
Daniel T Chen (crimsun) on 2011-07-20
tags: added: patch-forwarded-debian
removed: patch
Changed in sbackup (Debian):
status: Unknown → New
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.