The problem with /var/crash is that it violates the principle of least surprise. Mounting /tmp and /var/tmp on tmpfs is a pretty obvious step to take for anyone who is familiar with any modern GNU/Linux flavour. As apport is Ubuntu specific it's considerably less obvious, and as this has a security implication this is a Bad Thing™. And I don't think “turn the feature off altogether” is a particularly good answer. It's on by default out of the box which means it's insecure by default.
Having thought about it, I think an obvious fix would be to dump into a per-user ~/.crash directory rather than have a global dropbox. This way they'd have the same level of protection as the user's home directory. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1077074 Title: /var/crash is unencrypted To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1077074/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
