Adium

Opened 14 years ago

Closed 11 years ago

Last modified 11 years ago

#1834 closed defect (fixed)

Existing logs should not be world readable.

Reported by: denis@berlin.ccc.de Owned by: rgovostes
Milestone: Adium 1.3.1 Component: Logging
Version: Severity: major
Keywords: Cc:
Patch Status:

Description

chatlogs (even the ones with OTR) are saved worldreadable. So anybody who has local access can read the log files of other users. I consider this a privacy nightmare

Change History (23)

comment:1 Changed 14 years ago by Chris Forsythe

Reporter: changed from denis@… to denis@…

How can someone who is using a different system user access your log files?

comment:2 Changed 14 years ago by Zachary West

Someone who has local access, tick. AKA: antoehr user on the system.

comment:3 Changed 14 years ago by Chris Forsythe

Yes, but permissions on ~user/Libary shouldn't even allow this. So that's why I'm asking

comment:4 Changed 14 years ago by Zachary West

That's irrelevent. File permissions supersede folder permissions.

comment:5 Changed 14 years ago by Chris Forsythe

zac is going to try this later to test it out.

comment:6 Changed 14 years ago by patr1ck

field_haspatch: 0

Just a note to say that I tested this out, and although the files are world readable ("-RW-R--R--"), they still don't seem to be able to be opened by any method from another users account. open, cat, etc all don't work, and I even wrote a quick little C app that uses open() with RD_ONLY and it still gave an error.

This is probably still worth investigating further though. It's quite worrying that any other local user *might* be able to get a hold of all my logs.

comment:7 Changed 14 years ago by Colin Barrett

iirc, it's bad Unix Citizenship to write out files at something other than --rw-r--r--, anyway. I request the attention of Mac-arena, the resident POSIX expert.

Could we inherit the perms for logs from the containing folder?

comment:8 Changed 14 years ago by adium@…

Yes, but permissions on ~user/Libary shouldn't even allow this. So that's why I'm asking

Correct. ~/Library has permissions of 0600, meaning nobody else can get into the directory to open or view files, so the permissions on them are only relevant if you change directory permissions to allow access to them. I assume it ought to be umask that is responsible for this, and not Adium. I'm not familiar enough with the sourcecode to check on it right now, but I presume this is the answer.

There is little compelling reason to work on changing this setting, especially if it is affected by umask.

comment:9 Changed 14 years ago by Chris Forsythe

Resolution: wontfix
Status: newclosed

See notes above. If someone has a persuasive counter argument and a patch, that would be useful.

comment:10 Changed 12 years ago by Peter Hosey

Patch Status: None
pending: 0
Resolution: wontfix
Status: closedreopened

The Logs folder's permissions are *not* 0700. We create the Logs folder and all account and contact folders inside it with 0755—world-readable. This means that all the chatlog files therein are world-readable, too, since their permissions are considered.

We need to:

  1. Fix our creation of the Logs folder.
  2. Fix our creation of the subfolders. The permissions of the Logs folder don't do much if the subfolders are world-readable.
  3. Fix our creation of the log files while we're at it. (This one looks like a one-liner.)

comment:11 Changed 12 years ago by Jordan

Milestone: Adium X 1.4

Temporary Milestone?

comment:12 Changed 12 years ago by Carlos Morales

comment:13 Changed 11 years ago by Ryan Govostes

This was "fixed" in [24822], then refixed in [24823], [24824], and finally corrected in [24830].

We still don't convert existing logs to the new permissions, so I'm leaving the ticket open.

comment:14 Changed 11 years ago by Dan

This could be perceived as a security issue. It should be fixed *before* you abandon Tiger.

comment:15 Changed 11 years ago by Jordan

Milestone: Adium X 1.4Adium X 1.3.1
Summary: Logs are saved world readableExisting logs should not be world readable.

Fair enough. Adjusting Summary to reflect the new nature of this ticket.

comment:16 Changed 11 years ago by Evan Schoenberg

Owner: changed from nobody to Ryan Govostes
Status: reopenednew

Ryan, you fixed this for new logs; could you add a run-once upgrade block to convert the existing logs to the right permissions when 1.3.1 launches for the first time?

comment:17 Changed 11 years ago by David Smith

Resolution: fixed
Status: newclosed

(In [25003]) Patch from rgov: On launch, change log permissions to 0700 (for directories) or 0600 (for files), preventing users other than the owner from viewing transcripts. Fixes #1834.

comment:18 Changed 11 years ago by rgov

(In [25005]) Reverting [25003] -- don't merge code from trunk into the 1.3 branch. Refs #1834.

comment:19 Changed 11 years ago by rgov

(In [25006]) Re-applied changes in [25003] based on code in the 1.3 branch. Should re-fix #1834.

comment:20 Changed 11 years ago by Dan

Adium 1.3.3rc1 (on OS X 10.4.11) is creating log files and folder that are both group and world readable.

IMO, Logs and *everything* therein should be No Access to both group and other. Maybe even some of the higher folders should be locked down too.

comment:21 Changed 11 years ago by Ryan Govostes

I changed the code for log file permissions in [24822]ish then wrote a updater in [25003]ish that re-permissioned the existing files. However, only the converter got merged with 1.3. This explains the problem, but I don't have time to rectify the solution (which includes re-running the converter).

comment:22 Changed 11 years ago by Dan

Is this to be included in Adium 1.3.4?

comment:23 Changed 11 years ago by Dan

Logs in Adium 1.3.5 are being saved world readable.

Note: See TracTickets for help on using tickets.