[Bug 1401454] Re: Thunderbird writes attachments to /tmp readable to everyone
Using Thunderbird 38.8.0 in Ubuntu 16.04, when I open a pdf I now get a -r 1 thomas thomas 19K Jun 16 18:28 filename.pdf So nobody can read the file, which is 95% of the security fix. The remaining 5% would be to not expose the file name to other users. That's exactly how it is done for Mozilla Firefox 47.0/Ubuntu 16.04: Firefox now uses a directory which is only accessible by the user: drwx-- 1 thomas thomas 1,9K Jun 16 18:08 mozilla_thomas0 Thereby, using Firefox, the file names of temporary files in the directory are no longer exposed to other users. Would be great to have the same behaviour in Thunderbird as well. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401454 Title: Thunderbird writes attachments to /tmp readable to everyone To manage notifications about this bug go to: https://bugs.launchpad.net/thunderbird/+bug/1401454/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401454] Re: Thunderbird writes attachments to /tmp readable to everyone
The rights setting in /tmp is 644, not 755. Anyway, what is so complicated setting them to 600? And by the way, couldn't these files be deleted at some time? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401454 Title: Thunderbird writes attachments to /tmp readable to everyone To manage notifications about this bug go to: https://bugs.launchpad.net/thunderbird/+bug/1401454/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401454] Re: Thunderbird writes attachments to /tmp readable to everyone
Bug continues, all users of thunderbird use /tmp as 755 so everybody can read attachments that one user has opened. Is there any straight solution ? It´s a great fail of security. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401454 Title: Thunderbird writes attachments to /tmp readable to everyone To manage notifications about this bug go to: https://bugs.launchpad.net/thunderbird/+bug/1401454/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401454] Re: Thunderbird writes attachments to /tmp readable to everyone
** Changed in: thunderbird Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401454 Title: Thunderbird writes attachments to /tmp readable to everyone To manage notifications about this bug go to: https://bugs.launchpad.net/thunderbird/+bug/1401454/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401454] Re: Thunderbird writes attachments to /tmp readable to everyone
As the discussion about this was going on for 8 years in the mozilla community, I suggest to at least set permissions right in the distros. For the moment, there is only one path (which is /tmp) and there is only the original name used. That said, concurrent users could overwrite their temporary files to each other. Setting permissions right would avoid that in addition to solving the security problem. And it's still better than allowing users to overwrite files of other users to avoid error messages. Plus, privacy is an issue here as users can read private files of other users. On single user systems, there might not be a noticable change to users. So, what should it break? It's still not a perfect concept but a big improvement in terms of security. The rest can be done later in a nice fashion. After setting permissions right in the distros you can still wait another 8 years and see which solution mozilla community came up with. Possible we see an importance change to 'high' in between (say 4 years or so). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401454 Title: Thunderbird writes attachments to /tmp readable to everyone To manage notifications about this bug go to: https://bugs.launchpad.net/thunderbird/+bug/1401454/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401454] Re: Thunderbird writes attachments to /tmp readable to everyone
I was wrong. Not overwrite, just read. Which makes it even less probable to break things. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401454 Title: Thunderbird writes attachments to /tmp readable to everyone To manage notifications about this bug go to: https://bugs.launchpad.net/thunderbird/+bug/1401454/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401454] Re: Thunderbird writes attachments to /tmp readable to everyone
** Changed in: thunderbird Status: In Progress = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401454 Title: Thunderbird writes attachments to /tmp readable to everyone To manage notifications about this bug go to: https://bugs.launchpad.net/thunderbird/+bug/1401454/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401454] Re: Thunderbird writes attachments to /tmp readable to everyone
** Bug watch added: Mozilla Bugzilla #377630 https://bugzilla.mozilla.org/show_bug.cgi?id=377630 ** Also affects: thunderbird via https://bugzilla.mozilla.org/show_bug.cgi?id=377630 Importance: Unknown Status: Unknown ** Information type changed from Private Security to Public Security ** Changed in: thunderbird (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401454 Title: Thunderbird writes attachments to /tmp readable to everyone To manage notifications about this bug go to: https://bugs.launchpad.net/thunderbird/+bug/1401454/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401454] Re: Thunderbird writes attachments to /tmp readable to everyone
Launchpad has imported 42 comments from the remote bug at https://bugzilla.mozilla.org/show_bug.cgi?id=377630. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2007-04-16T12:12:56+00:00 Pb-bieringer wrote: User-Agent: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.8.0.10) Gecko/20070313 Fedora/1.5.0.10-5.fc6 Firefox/1.5.0.10 pango-text Build Identifier: 1.5.0.10 On at least Fedora Core every attachment which was openend is saved in /tmp. On a multi user system this can lead to a filename disclosure and therefore to a privacy problem, think about e.g. /tmp/loveletter-from-girlfriend-xy.doc Reproducible: Always Steps to Reproduce: 1. Open attachment secret-agenda-from-company.ppt from an e-mail 2. login as different user and list /tmp directory $ ls -al /tmp/*.ppt -rw--- 1 peter peter 248832 16. Apr 14:08 /tmp/secret-agenda-from-company.ppt Actual Results: File name is unexpectly disclosed to all other non-root users Expected Results: File would be stored into a subdirectory in tmp, e.g. /tmp/peter-thunderbird/secret-agenda-from-company.ppt and /tmp/peter-thunderbird is created with permissions 700 Reply at: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1401454/comments/0 On 2007-04-24T10:39:39+00:00 A S Alam wrote: yes, bug as mention is there in fedora Reply at: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1401454/comments/1 On 2008-03-20T18:59:02+00:00 Pb-bieringer wrote: Looks like no one cares about it. But I found a workaround. Digging through search engines and strings * |grep -i temp I found, that TEMP is mentioned somewhere in in the binaries. A short test shows, that following would be very helpful at least on Linux: # cat /etc/profile.d/usertemp.sh if [ ! -d /tmp/temp-$USER ]; then mkdir -m 700 /tmp/temp-$USER fi export TEMP=/tmp/temp-$USER This script creates (if not already existing) a subdirectory in the /tmp folder with proper permissions and also adjusts the TEMP environment variable. Now every attachement opened with thunderbird would be stored in /tmp/temp-$USER, no other user (except root) can see anything of the file name. Reply at: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1401454/comments/2 On 2009-05-11T17:42:23+00:00 mlissner wrote: It's been over a year since the last comment in this message. I hope this doesn't get folded into t-bird 3.0 as well. I can confirm this on Ubuntu Jaunty... Reply at: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1401454/comments/3 On 2009-10-16T19:40:38+00:00 mlissner wrote: Confirming that this is still present in TB 3.0b4pre Can we please fix this? It's not that complicated, as indicated above. Reply at: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1401454/comments/4 On 2009-10-16T20:35:15+00:00 Standard8 wrote: Whilst I can see that this is an issue for a few users, I wouldn't block shipping the big upgrade of Thunderbird 3 on it - especially as it has been present since Thunderbird 1.5 at least. Reply at: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1401454/comments/5 On 2009-11-09T03:14:22+00:00 Kshriram18 wrote: Now, how do we include that script into the binary file that modifies that deals with the /tmp directory? Reply at: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1401454/comments/6 On 2009-11-09T03:16:51+00:00 Kshriram18 wrote: I am trying to find the file in the thunderbird 3 repo which deals with storing attachments. For anyone reading this bug, please feel free to submit a patch or propose alternative solutions. Reply at: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1401454/comments/7 On 2009-11-09T03:17:17+00:00 Kshriram18 wrote: I am trying to find the file in the thunderbird 3 repo which deals with storing attachments. For anyone reading this bug, please feel free to submit a patch or propose alternative solutions. Reply at: https://bugs.launchpad.net/ubuntu/+source/thunderbird/+bug/1401454/comments/8 On 2009-11-09T19:56:32+00:00 Mkmelin+mozilla wrote: Should be around