Ticket #1132 (new defect)
system:anyuser probably shouldn't have list permissions on ~/.gnupg
Reported by: | dlaw | Owned by: | |
---|---|---|---|
Priority: | low | Milestone: | The Distant Future |
Component: | -- | Keywords: | |
Cc: | Fixed in version: | ||
Upstream bug: |
Description
GPG creates files inside ~/.gnupg that contain semi-private information in their names. I can go to another user's home directory and see a list of all the machines from which they've run gpg simply by running "ls .gnupg". I'm not sure how worrisome this is, since zlocate already provides information about what machines people are using.
Note: See
TracTickets for help on using
tickets.
This is an _excellent_ package for the next debathena-trainees cluedump, so I'd like to "claim" this package to use as an example there, unless people feel that this package shouldn't exist or something. The general idea would be a wrapper (that is only used if DEBATHENA_HOME_TYPE=afs) that a) creates ~/.gnupg with system:anyuser none if it doesn't already exist; b) whines loudly on STDERR if ~/.gnupg does exist and is readable by system:anyuser. (It's unclear to me we should force it back).