*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: nautilus >From http://bugzilla.gnome.org/show_bug.cgi?id=458397 reported by Roberto Zunino: When copying files, files are created with the default umask permissions instead of using the permissions of the file being copied. Permissions are then "fixed" after the copy has been completed. This however leaves a window of vulnerability. Real world example: I just copyed my old home (perms=700) to a new disk. This took quite a long time, during which my home had permissions 775. Steps to reproduce: 1. Create a folder and put some large files inside 2. chmod 700 folder 3. Nautilus-copy it somewhere else Actual results: while copying, ls -d folder_copy shows 775 perms, and other users can go in and read inside the folders Expected results: folder_copy should be created with 700 perms Does this happen every time? yes Other information: The Right Thing would be to pass the correct permissions to open()/mkdir() etc. Failing that, a good enough easier fix would be to set umask to 700&old_umask for the copying stuff. -----[ End of bug report by Roberto Zunino ]------------------------------------------- I can reproduce this bug now with nautilus version 1:2.20.0-0ubuntu7.1 under Ubuntu 7.10 (Gutsy). I tried to copy a single regular file with the permissions set to 600, so the problem is not limited to copying directories. I'm marking this as a security vulnerability because under appropriate circumstances it can allow local users to read other's files effectively bypassing the permissions set by the owner. It is true that many users won't be affected by this but that's not a valid reason to ignore the problem. ** Affects: nautilus Importance: Unknown Status: Unknown ** Affects: nautilus (Ubuntu) Importance: Undecided Status: New ** Bug watch added: GNOME Bug Tracker #458397 http://bugzilla.gnome.org/show_bug.cgi?id=458397 ** Also affects: nautilus via http://bugzilla.gnome.org/show_bug.cgi?id=458397 Importance: Unknown Status: Unknown ** Visibility changed to: Public -- File permissions are incorrect during file copy https://bugs.launchpad.net/bugs/209746 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
