Ticket #1132 (new defect)

Opened 9 years ago

Last modified 9 years ago

system:anyuser probably shouldn't have list permissions on ~/.gnupg

Reported by: dlaw Owned by:
Priority: low Milestone: The Distant Future
Component: -- Keywords:
Cc: Fixed in version:
Upstream bug:

Description

GPG creates files inside ~/.gnupg that contain semi-private information in their names. I can go to another user's home directory and see a list of all the machines from which they've run gpg simply by running "ls .gnupg". I'm not sure how worrisome this is, since zlocate already provides information about what machines people are using.

Change History

comment:1 Changed 9 years ago by jdreed

This is an _excellent_ package for the next debathena-trainees cluedump, so I'd like to "claim" this package to use as an example there, unless people feel that this package shouldn't exist or something. The general idea would be a wrapper (that is only used if DEBATHENA_HOME_TYPE=afs) that a) creates ~/.gnupg with system:anyuser none if it doesn't already exist; b) whines loudly on STDERR if ~/.gnupg does exist and is readable by system:anyuser. (It's unclear to me we should force it back).

Note: See TracTickets for help on using tickets.