Your message dated Mon, 04 Apr 2016 13:48:48 +0100
with message-id <[email protected]>
and subject line (no subject)
has caused the Debian Bug report #819496,
regarding clipit clipboard history is *world* readable
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
819496: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819496
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: clipit
Version: 1.4.2-1
Description of problem:
This clipboard manager stores history in a file in the users homedir,
~/.local/share/clipit/history however the permission on this file are
defaulted to 644 (-rw-r--r--), which means anyone on the machine can
read a users clipboard history.
If people are using password managers where it involves you copying a
password temporarily then this causes a huge security risk.
How reproducible:
Steps to Reproduce:
1. apt-get install clipit
2. Enable it and use it
3. Copy a password
4. Log in as another user
5. # strings ~foo/.local/share/clipit/history
Actual results:
Their clipboard history.
Expected results:
strings: /home/foo/.local/share/clipit/history: Permission denied
Additional info:
This is horrific in environments where there are multiple users.
Tested on: Debian Jessie (8.3)
--
Imran Hussain
https://sucs.org
--- End Message ---
--- Begin Message ---
D'oh I saw that ~ was created as 755 and assumed that was it, didn't
spot that ~/.local was 700!
Sorry.
--
Imran Hussain
https://sucs.org
--- End Message ---
