forked from Mirrors/flatpak-builder
daf36ba2af
This goes into a big old topic about Unix homedir permissions; it's not uncommon for general purpose OS vendors to have homedirs be 0755. In that case, applications need to ensure confidentiality for data requiring it (classically e.g. `~/.ssh`) by making the dirs `0700`. While most of the data in the flatpak per-user dir probably isn't confidential (debatably) we have a different issue; if container content includes suid or world-writable files/dirs, then having that data accessible to other users is obviously problematic. We're going to fix flatpak/ostree to not create files with those modes to begin with, but this simple fix closes off the attack route for the per-user directory. A different fix will be necessary for the system-wide repo. See: https://github.com/flatpak/flatpak/pull/837 |
||
---|---|---|
.. | ||
gvdb | ||
Makefile.am.inc | ||
flatpak-chain-input-stream.c | ||
flatpak-chain-input-stream.h | ||
flatpak-common-types.h | ||
flatpak-db.c | ||
flatpak-db.h | ||
flatpak-dir.c | ||
flatpak-dir.h | ||
flatpak-json-oci.c | ||
flatpak-json-oci.h | ||
flatpak-json.c | ||
flatpak-json.h | ||
flatpak-oci-registry.c | ||
flatpak-oci-registry.h | ||
flatpak-portal-error.c | ||
flatpak-portal-error.h | ||
flatpak-run.c | ||
flatpak-run.h | ||
flatpak-table-printer.c | ||
flatpak-table-printer.h | ||
flatpak-utils.c | ||
flatpak-utils.h |