I have kuroo-0.70.1 installed which creates a directory, kuroo, under /tmp containing well-known files. The ownership and permissions of the kuroo directory and its files is as follows: $ ls -l /tmp ... drwxrwxrwx 2 root root 4096 Sep 29 21:14 kuroo $ ls -l /tmp/kuroo -rw-rw-rw- 1 root root 95 Sep 29 21:12 kuroo.log -rw-rw-rw- 1 root root 5060608 Sep 29 21:14 portage.db Both the kuroo directory and its files are world-writable and owned by root. Additionally, the names of the files in the kuroo directory are known and predictable. I don't know of any exploit that could take advantage of this situation (the files aren't temporaries) but as kuroo runs with superuser privileges (via kdesu) wouldn't it make sense to tighten the permissions to exclude world read, write and execute/stat access? Regards, Neil Darlow Reproducible: Always Steps to Reproduce: 1. 2. 3.
Auditors please advise.
Default temp directory is /var/tmp. Initial testing indicates that it indeed does check (at least for symlinks) before using the temporary files. Though I haven't checked the source, tavis?
(In reply to comment #2) > Default temp directory is /var/tmp. Are you sure? I deleted the configuration file for Gentoo Watcher then executed it. Configure Watcher... shows Kuroo home as /var/tmp. I deleted /tmp/kuroo then executed Kuroo. The configuration wizard (4/8) shows Kuroo home as /tmp/kuroo. The two programs don't agree on their data directory (on my system at least).
Fresh install says Kuroo home /var/tmp/kuroo. Once again it appears that it checks for existing tmp files, at least portage.db. Though I haven't double with checked the source. The permissions are perhaps abit to permissive.
(In reply to comment #4) > Fresh install says Kuroo home /var/tmp/kuroo. Yes, I can confirm that too. My configuration must have been from an older version of Kuroo that used /tmp? I contacted another Kuroo user who used defaults for his install and he too had Kuroo home in /tmp. I don't know which version he's using. The permissiveness of the files concerned me with respect to the possibility of changing their content by a non-privileged user.
Release 0.71.0 due to be released any day now will correct this. Directories and files will be owned by portage:portage. Kuroo will require user to be in portage group. # ls -l ... drwxrwxr-- 3 portage portage 4096 Oct 21 18:45 kuroo # ls -l kuroo total 212 drwxrwxr-- 2 portage portage 4096 Oct 21 18:44 backup -rw-rw-r-- 1 portage portage 0 Oct 21 18:45 kuroo.log -rw-rw-r-- 1 portage portage 206848 Oct 21 18:45 portage.db
(In reply to comment #6) > Release 0.71.0 due to be released any day now will correct this. > Directories and files will be owned by portage:portage. > Kuroo will require user to be in portage group. I hope the authors have considered the implications of this. I can envisage the scenario where two trusted portage users have dissimilar preference settings (now assuming kuroo no longer runs as root) and the interesting effects that could cause.
Plz explain... (In reply to comment #7) > (In reply to comment #6) > > Release 0.71.0 due to be released any day now will correct this. > > Directories and files will be owned by portage:portage. > > Kuroo will require user to be in portage group. > > I hope the authors have considered the implications of this. I can envisage the > scenario where two trusted portage users have dissimilar preference settings > (now assuming kuroo no longer runs as root) and the interesting effects that > could cause.
(In reply to comment #8) > Plz explain... Currently, kuroo runs as root because of kdesu. This implies that everyone who uses kuroo uses the same preference settings under /root/.kde/... Making kuroo accessible to any member of group portage, and assuming that kuroo now runs as the invoking user (not root), means that kuroo's preferences will now be under ${HOME}/.kde/... It is now possible for each invoking user of kuroo to have e.g. a different settting for Kuroo home, say /tmp/kuroo and /var/tmp/kuroo, and consequently a different view of the system is presented by kuroo for each user. I hope the kuroo authors have considered this. The alternative solution would have been to leave kuroo as su-root and tightened the Kuroo home permissions to 0700 and 0600 for the directory and its contents respectively.
No... you missunderstand how kdesu works. Launching an app with kdesu, makes the app run as if you were logged as root for the duration of session using prefs in "/root/.kde/...". Running the app normally and you will use prefs in "${HOME}/.kde/...".
(In reply to comment #10) > No... you missunderstand how kdesu works. > Launching an app with kdesu, makes the app run as if you were logged as root for > the duration of session using prefs in "/root/.kde/...". Running the app > normally and you will use prefs in "${HOME}/.kde/...". I understand perfectly. My post said what you have just said. My concern is if Kuroo no longer runs under kdesu. In this case individual user preferences will be used and problems could arise.
Still nothing upstream it appears.
0.71.0_rc2 is released and in portage tree now. Kuroo cache directory is moved to /var/kuroo with the permissions suggested by Neil, eg 0700 and 0600 for the directory and its contents respectively.
I hope the new cache directory is a typo. I suggested /var/cache/kuroo. /var/kuroo would be inappropriate, applications should not create directories immediately below /var.
Ok. 0.71.0 release will feature kuroo cache location in /var/cache/kuroo.
Updated ebuild committed by cryos.