*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Jamie Strandboge (jdstrand):
Binary package hint: kdebase KDE uses several directories outside $HOME to store "temporary" files. This may unpleasantly surprise users who choose to encrypt their home directory (using ecryptfs) and expect their data to be protected. According to http://techbase.kde.org/KDE_System_Administration/KDE_Filesystem_Hierarchy there are at least three user-specific directories placed by default outside $HOME (see the doc for KDE's motivation): 1. /var/tmp/kdecache-$USER/ 2. /tmp/kde-$USER/ 3. /tmp/ksocket-$USER/ #1 is particularly problematic since /var/tmp is not cleaned upon reboot and stores HTTP cache, thumbnails of viewed images, etc. However, fixing it is quite easy: just set KDEVARTMP to $XDG_CACHE_HOME (or $HOME/.cache/ if $XDG_CACHE_HOME is unset). This probably is only needed for users who encrypt their home directories. I don't know how #2 is used. It's empty on my system. Probably, leaving it as is is OK because it provides the same guaranties to user as a standard /tmp (e.g. cleanup upon normal boot, but allowing external examination, e.g. from live cd). At least if some decision is made regarding #2 it should expand to whole /tmp, not just KDE's files. #3 is probably safe since it should only contain named sockets. ** Affects: kdebase (Ubuntu) Importance: Undecided Status: New -- information leakage by kdecache when using encrypted home https://bugs.launchpad.net/bugs/786150 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
