KSaveFile not keeping mode, uid and gid!
Reinhold Kainhofer
reinhold at kainhofer.com
Fri Jul 23 16:43:02 BST 2004
Hi,
In KOrganizer (where we use KSaveFile when saving local files) we have the
problem that the mode, the uid and gid of a file are not retained if uid and
gid of the file are not the uid and gid of the user.
For example, I (user reinhold, group reinhold) have a file
-rw------- 1 reinhold reinhold 397 2004-07-23 17:31 tt.ics
If I use KSaveFile to save something to tt.ics, the 600 mode is kept.
Now, if I have a file
-rw------- 1 reinhold users 397 2004-07-23 17:31 tt.ics
then using KSaveFile reverts the file's permissions to 644, user reinhold,
group reinhold.
This is of course caused by the check
(stat_buf.st_uid == getuid())
&& (stat_buf.st_gid == getgid()))
in lines 73/74 of ksavefile.cpp. This assumes that the user is only able to
write to files that have his own uid and gid set, but neglect the fact that
he might be allowed to write to other files, which for example might be
group- or even world-writable, but do not belong to the user.
This check was introduced by Waldo on Feb 23 in revision 1.14 for HEAD and
1.10.4.3 for KDE_3_2_BRANCH with the comment "Use stat, use fchmod and only
if it was our own file.".
I think that check needs to be removed again to fix bugs like 71354. Can this
be done for kde 3.3?
BTW, this issue even raises some privacy issues, as the user for example
explicitly chose to disallow group or world access to his calendar (maybe
containing confidential data), but KSaveFile happily resets the permissions
to world readability...
Thanks,
Reinhold
--
------------------------------------------------------------------
Reinhold Kainhofer, Vienna, Austria
email: reinhold at kainhofer.com, http://reinhold.kainhofer.com/
* Financial and Actuarial Mathematics, TU Wien, http://www.fam.tuwien.ac.at
* Deltasoft mathematics, http://www.deltasoft.at/
More information about the kde-core-devel
mailing list