Review Request 129526: RFE: kwallet-pam should use XDG_RUNTIME_DIR instead of /tmp for the socketPath

Damjan Georgievski gdamjan at gmail.com
Sun Jan 8 17:47:11 UTC 2017 


> On Jan. 8, 2017, 4:09 p.m., David Faure wrote:
> > pam_kwallet.c, line 422
> > <https://git.reviewboard.kde.org/r/129526/diff/1/?file=486385#file486385line422>
> >
> >     trailing spaces
> 
> Damjan Georgievski wrote:
>     > according to http://standards.freedesktop.org/basedir-spec/latest/, one is supposed to check permissions
>     
>     I don't see it in the specs, and it says: „The directory MUST be owned by the user, and he MUST be the only one having read and write access to it. Its Unix access mode MUST be 0700.“ - but it might be a sensible thing to check (although there are race conditions in checking and only trying to use it later).
>     
>     > trailing spaces
>     
>     ughh, what do I do now, "Update diff"?
> 
> David Faure wrote:
>     Yes, these "MUST" are exactly what I meant the code is supposed to check before using XDG_RUNTIME_DIR :)
>     
>     I'm confused by your reply, you say "I don't see it in the spec" and then you quote exactly what I am referring to.
>     
>     There is no race condition in checking for "I own it and it's 0700" before using, because this can only change if root intervenes, another user cannot do anything about a dir that he doesn't own and that is 0700. And if root is compromised, all is lost anyway ;)

> I'm confused by your reply, you say "I don't see it in the spec" and then you quote exactly what I am referring to.

huh, I might be mistaken, but the way I read it, the creator of $XDG_RUNTIME_DIR MUST do those things, otherwise it shouldn't set the environment variable.


- Damjan


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/129526/#review101873
-----------------------------------------------------------


On Jan. 8, 2017, 4:59 p.m., Damjan Georgievski wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/129526/
> -----------------------------------------------------------
> 
> (Updated Jan. 8, 2017, 4:59 p.m.)
> 
> 
> Review request for KDE Frameworks.
> 
> 
> Bugs: 365722
>     https://bugs.kde.org/show_bug.cgi?id=365722
> 
> 
> Repository: kwallet-pam
> 
> 
> Description
> -------
> 
> Most recent Linux distributions setup a per-user XDG_RUNTIME_DIR as a tmpfs, which is also tied to their session lifecycle. Typically this is in /run/user/1000/.
> 
> My suggestion is to use $XDG_RUNTIME_DIR/kwallet5.socket if XDG_RUNTIME_DIR exists, or fallback to /tmp/kwallet5_${username}.socket if it doesn't.
> 
> Reproducible: Always
> 
> 
> Diffs
> -----
> 
>   pam_kwallet.c 809ab9a 
> 
> Diff: https://git.reviewboard.kde.org/r/129526/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Damjan Georgievski
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20170108/48209345/attachment-0001.html>

More information about the Kde-frameworks-devel mailing list