Bug 139551

Summary: index files from 774 to 700 for security improvement
Product: [Unmaintained] kmail Reporter: Jose Da Silva <Digital>
Component: indexAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: jtamate, kollix
Priority: NOR Keywords: triaged
Version: unspecified   
Target Milestone: ---   
Platform: Mandriva RPMs   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Jose Da Silva 2007-01-03 12:47:26 UTC 
Version:            (using KDE KDE 3.5.4)
Installed from:    Mandriva RPMs
OS:                Linux

Right now, Kmail opens/creates personal email mbox or Maildir files using the 0600 file attribute (user.group.other) but unfortunately does not do the same for the fancier indexes such as index.ids or index.sorted.

Modifying the attribute for those indexes should improve Kmail from a security aspect.

The mail/index files in question would be located in ~/.kde/shared/apps/kmail/mail/* for KMail packaged with KDE 3.5 and located in possible other locations such as ~/.Mail/* for Kmail included with KDE 3.3


the search index could also be include in the above list (.Last Search.index.search.ids)
Comment 1 Thomas McGuire 2007-07-17 18:02:30 UTC 
Thanks for including the search index, that was a good observance.  :-)

Quote:
the search index could also be include in the above list (.Last 
Search.index.search.ids) 

On July 17, 2007 05:33:11 am Thomas McGuire wrote:
[bugs.kde.org quoted mail]
Comment 2 Thomas McGuire 2007-07-17 18:11:05 UTC 
Huh? Why does comment #1 seems to be written by me? I didn't write that...
Comment 3 Jaime Torres 2008-09-23 08:50:39 UTC 
In kmail 1.10.1, every folder bellow .kde/share/kmail has rwx------ rights.
Comment 4 Jose Da Silva 2008-09-23 11:03:05 UTC 
Yes, I see
.kde/share/kmail has rwx------ folder rights in Kmail 1.9.9 under KDE3.5.9

In 3.3 it was worse, but in 3.5 various files are still created as rw-rw-r--

If Linux provides you tools to improve security, why not make use of them?  :-)

Let's say for example that today you have several shared plugins such as flash animation for Firefox, Konqueror, or Opera ....
....could it be conceivable that in future that it may be possible to share email data between clients...say Kmail if you do it by GUI, and some other mail client such as "mail" if you do/read/parse/other by script.

Let's suppose that you keep your mail in a common location such as ~/.Mail and put a link from ~/.kde/shared/apps/kmail/mail to ~/.Mail but ~/.Mail is rwxr-xr-x

The above is a "what-if?" scenario, and allowing the file system to hold an additional level of security by making your files rw------- is just an additional precaution for unlikely "what-if?"s

Just a thought
Jose
Comment 5 Martin Koller 2009-08-04 21:30:41 UTC 
SVN commit 1006953 by mkoller:

BUG: 139551

also create the index.ids file to be only read/writable by the owner


 M  +6 -0      kmmsgdict.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1006953
Comment 6 Martin Koller 2009-08-04 21:32:31 UTC 
The mail files themselves are not covered, but if you manage to symlink all your dirs, you'll also manage to run kmail with a different umask.