On Wed, May 02, 2018 at 07:07:51AM -0000, steve gooberman-hill wrote: > I'm agreed that this is the way the system permissions work. But, did you > see the comment I added to the bug report?
Hi Steve, indeed I did. > Further investigation shows that file ownership is also ignored > If I change the ownership and permissions of the file, then they are > ignored by the Brightness & Lock app > > eve@steve-laptop:~$ ls -l ~/.config/dconf/user > -rw-r--r-- 1 steve eve 15965 Apr 28 10:37 /home/eve/.config/dconf/user > > ==> Alter lock settings using "Brightness & Lock" app > > eve@steve-laptop:~$ ls -l ~/.config/dconf/user > -rw-rw-r-- 1 eve eve 15965 Apr 28 11:13 /home/eve/.config/dconf/user > > > Eve is no longer the file owner, but is in the group (and she is not in the > sudo group), so I don't believe that any process she is running should be > able to change the file permissions and ownership. So I am guessing that > the screen locking process is either not run by the user, or it is running > with elevated privileges, which enable it to overwrite the file with a > different privilege set. Eve owns the directory /home/eve/.config/dconf/. Thus a process running as Eve can unlink() any file in this directory regardless of who owns the file or what permissions are on the file. Then it creates a new file with any contents -- as you've seen here. > However, I am not convinced that the existing behaviour is desirable - > because the screen locking process appears not to check the file > permissions and ownership, and uses it's elevated privilege status to > overwrite them. The screen locking mechanism does not have elevated privileges. It just runs as her. The assumption is she's the one who wants to protect her session when she walks away momentarily. > PS. FWIW Eve is thankfully not interested in Unix system hacking. Social > engineering on her parents seems a better way to get increased access to > funny cat videos :-) Such a pity, I've heard there's a world-wide shortfall of roughly a million information security professionals. Practicing how to bypass access controls on childhood computers is a time-honoured traditional education for the field. Of course social engineering is also a useful skill. :) Thanks Steve -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-screensaver in Ubuntu. https://bugs.launchpad.net/bugs/1767618 Title: system Brightness & Lock app ignores file permissions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/1767618/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
