forked from Mirrors/flatpak-builder
daf36ba2af
This goes into a big old topic about Unix homedir permissions; it's not uncommon for general purpose OS vendors to have homedirs be 0755. In that case, applications need to ensure confidentiality for data requiring it (classically e.g. `~/.ssh`) by making the dirs `0700`. While most of the data in the flatpak per-user dir probably isn't confidential (debatably) we have a different issue; if container content includes suid or world-writable files/dirs, then having that data accessible to other users is obviously problematic. We're going to fix flatpak/ostree to not create files with those modes to begin with, but this simple fix closes off the attack route for the per-user directory. A different fix will be necessary for the system-wide repo. See: https://github.com/flatpak/flatpak/pull/837 |
||
|---|---|---|
| .. | ||
| gvdb | ||
| Makefile.am.inc | ||
| flatpak-chain-input-stream.c | ||
| flatpak-chain-input-stream.h | ||
| flatpak-common-types.h | ||
| flatpak-db.c | ||
| flatpak-db.h | ||
| flatpak-dir.c | ||
| flatpak-dir.h | ||
| flatpak-json-oci.c | ||
| flatpak-json-oci.h | ||
| flatpak-json.c | ||
| flatpak-json.h | ||
| flatpak-oci-registry.c | ||
| flatpak-oci-registry.h | ||
| flatpak-portal-error.c | ||
| flatpak-portal-error.h | ||
| flatpak-run.c | ||
| flatpak-run.h | ||
| flatpak-table-printer.c | ||
| flatpak-table-printer.h | ||
| flatpak-utils.c | ||
| flatpak-utils.h | ||