I'm sorry if my English is hard to understand. kdeinit5 create /tmp/xauth-xxx-_y with inappropriate permission, 644. I think it should be 600. ---affected system--- Distro : ArchLinux Qt version : 5.5.1 (I'm sorry, I haven't check the other versions on Arch.) KDE version : 5.18.0 (The same as above) ------ ---not affected system--- Distro : Kubuntu 15.10 LiveCD Qt version : 5.4.2 KDE version : 5.15.0 ------ Reproducible: Always Steps to Reproduce: 1. Just login to plasma5. (I tried sddm and startx.) Actual Results: The permission of /tmp/xauth-xxx-_y is 644. Expected Results: The permission of /tmp/xauth-xxx-_y should be 600. I'm newbie but I tried to read the source for my study. I changed near the line 1536 of kinit-5.18.0/src/kdeinit/kinit.cpp. ---before--- if (!xauthfrom.open(QFile::ReadOnly) || !xauthfile.open(QFile::WriteOnly) || xauthfile.write(xauthfrom.readAll()) != xauthfrom.size() || !xauthfile.commit()) { ------ to ---after--- if (!xauthfrom.open(QFile::ReadOnly) || !xauthfile.open(QFile::WriteOnly) || !xauthfile.setPermissions( QFile::Permissions( QFile::ReadOwner | QFile::WriteOwner ) ) || xauthfile.write(xauthfrom.readAll()) != xauthfrom.size() || !xauthfile.commit()) { ------ And remove /tmp/xauth-xxx-_y and relogin, then the permission become 600. I don't have enough knowledge, so I can't determine this is valid solution or not.
*** Bug 363140 has been marked as a duplicate of this bug. ***
Git commit dece8fd89979cd1a86c03bcaceef6e9221e8d8cd by Albert Astals Cid, on behalf of taro yamada. Committed on 17/05/2016 at 22:08. Pushed by aacid into branch 'master'. Fix permissions of /tmp/xauth-xxx-_y M +1 -0 src/kdeinit/kinit.cpp http://commits.kde.org/kinit/dece8fd89979cd1a86c03bcaceef6e9221e8d8cd
Ain't this fix racy? The file is first created as world readable, and later chmod-ed to expected permissions, leaving a (small) window during which the file can be opened by anyone. Also this looks like a symptom of a larger problem. Previously, the xauth file was stored in the /tmp/kde-$username directory with safe permissions (700): https://userbase.kde.org/KDE_System_Administration/KDE_Filesystem_Hierarchy#Temporary_Files That directory does not seem to be created any more. Other programs that previously created temporary files with world-readable permissions inside the safe directory may also be affected if they now use /tmp directly instead.
(In reply to Tomas Hoger from comment #4) > Ain't this fix racy? The file is first created as world readable, and later > chmod-ed to expected permissions, leaving a (small) window during which the > file can be opened by anyone. Yes it is a bit racy, at this point it is the best mitigation *I* can offer, i am trying to get the people that know how this works to provide a better solution.
Fixed again with umask use
Adding the link to the umask fix, as it was not linked here automatically. https://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=72f3702dbe6cf15c06dc13da2c99c864e9022a58