SUMMARY ====================== On the following system: Operating System: EndeavourOS KDE Plasma Version: 5.27.7 KDE Frameworks Version: 5.108.0 Qt Version: 5.15.10 Kernel Version: 6.4.10-arch1-1 (64-bit) Graphics Platform: X11 Processors: 12 × AMD Ryzen 5 5500U with Radeon Graphics Memory: 30.7 Gio of RAM Graphics Processor: AMD Radeon Graphics Manufacturer: ASUSTeK COMPUTER INC. Product Name: MINIPC PN51-E1 System Version: 0505 =================== $ paclog-pkglist |grep okular okular 23.04.3-1 A serious protection problem arises with the output file after digitally signing the document. STEPS TO REPRODUCE 1. mkdir --mode=2770 /tmp/dir; chgrp users /tmp/dir; setfacl -dm g:users:rwx /tmp/dir 2. soffice --writer -- type some text, save to /tmp/dir/foo.odt then export pdf to /tmp/dir/foo.pdf 3. okular /tmp/dir/foo.pdf -- sign the file with usb key (in my case CertEurope eID User), save to /tmp/dir/foo_signed.pdf OBSERVED RESULT $ grep umask /etc/pam.d/system-login session optional pam_umask.so debug usergroups umask=0077 $ umask 0007 $ mkdir --mode=2770 /tmp/dir; chgrp users /tmp/dir; setfacl -dm g:users:rwx /tmp/dir $ cd /tmp $ getfacl dir # file: dir # owner: richard # group: users # flags: -s- user::rwx group::rwx other::--- default:user::rwx default:group::rwx default:group:users:rwx default:mask::rwx default:other::--- $ soffice --writer $ getfacl dir/* # file: dir/foo.odt # owner: richard # group: users user::rw- group::rwx #effective:rw- group:users:rwx #effective:rw- mask::rw- other::--- # file: dir/foo.pdf # owner: richard # group: users user::rw- group::rwx #effective:rw- group:users:rwx #effective:rw- mask::rw- other::--- $ okular dir/foo.pdf Settings::instance called after the first use - ignoring $ getfacl dir/* # file: dir/foo.odt # owner: richard # group: users user::rw- group::rwx #effective:rw- group:users:rwx #effective:rw- mask::rw- other::--- # file: dir/foo.pdf # owner: richard # group: users user::rw- group::rwx #effective:rw- group:users:rwx #effective:rw- mask::rw- other::--- # file: dir/foo_signé.pdf # owner: richard # group: users user::rw- group::rwx #effective:--- group:users:rwx #effective:--- mask::--- other::--- EXPECTED RESULT dir/foo_signed.pdf should have the same ACL as dir/foo.pdf ADDITIONAL INFORMATION tried other programs such as pdfarranger, which seem to work fine. This is a PITA on a shared system.
ping?
ping ping?