[okular] [Bug 473474] New: digitally signed document saved (_signed) doesn't respect ACL
Richard PALO
bugzilla_noreply at kde.org
Thu Aug 17 14:37:09 BST 2023
https://bugs.kde.org/show_bug.cgi?id=473474
Bug ID: 473474
Summary: digitally signed document saved (_signed) doesn't
respect ACL
Classification: Applications
Product: okular
Version: 23.04.3
Platform: Archlinux
OS: Linux
Status: REPORTED
Severity: major
Priority: NOR
Component: PDF backend
Assignee: okular-devel at kde.org
Reporter: richard.palo at free.fr
Target Milestone: ---
SUMMARY
======================
On the following system:
Operating System: EndeavourOS
KDE Plasma Version: 5.27.7
KDE Frameworks Version: 5.108.0
Qt Version: 5.15.10
Kernel Version: 6.4.10-arch1-1 (64-bit)
Graphics Platform: X11
Processors: 12 × AMD Ryzen 5 5500U with Radeon Graphics
Memory: 30.7 Gio of RAM
Graphics Processor: AMD Radeon Graphics
Manufacturer: ASUSTeK COMPUTER INC.
Product Name: MINIPC PN51-E1
System Version: 0505
===================
$ paclog-pkglist |grep okular
okular 23.04.3-1
A serious protection problem arises with the output file after digitally
signing the document.
STEPS TO REPRODUCE
1. mkdir --mode=2770 /tmp/dir; chgrp users /tmp/dir; setfacl -dm g:users:rwx
/tmp/dir
2. soffice --writer -- type some text, save to /tmp/dir/foo.odt then
export pdf to /tmp/dir/foo.pdf
3. okular /tmp/dir/foo.pdf -- sign the file with usb key (in my case
CertEurope eID User), save to /tmp/dir/foo_signed.pdf
OBSERVED RESULT
$ grep umask /etc/pam.d/system-login
session optional pam_umask.so debug usergroups umask=0077
$ umask
0007
$ mkdir --mode=2770 /tmp/dir; chgrp users /tmp/dir; setfacl -dm g:users:rwx
/tmp/dir
$ cd /tmp
$ getfacl dir
# file: dir
# owner: richard
# group: users
# flags: -s-
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:group:users:rwx
default:mask::rwx
default:other::---
$ soffice --writer
$ getfacl dir/*
# file: dir/foo.odt
# owner: richard
# group: users
user::rw-
group::rwx #effective:rw-
group:users:rwx #effective:rw-
mask::rw-
other::---
# file: dir/foo.pdf
# owner: richard
# group: users
user::rw-
group::rwx #effective:rw-
group:users:rwx #effective:rw-
mask::rw-
other::---
$ okular dir/foo.pdf
Settings::instance called after the first use - ignoring
$ getfacl dir/*
# file: dir/foo.odt
# owner: richard
# group: users
user::rw-
group::rwx #effective:rw-
group:users:rwx #effective:rw-
mask::rw-
other::---
# file: dir/foo.pdf
# owner: richard
# group: users
user::rw-
group::rwx #effective:rw-
group:users:rwx #effective:rw-
mask::rw-
other::---
# file: dir/foo_signé.pdf
# owner: richard
# group: users
user::rw-
group::rwx #effective:---
group:users:rwx #effective:---
mask::---
other::---
EXPECTED RESULT
dir/foo_signed.pdf should have the same ACL as dir/foo.pdf
ADDITIONAL INFORMATION
tried other programs such as pdfarranger, which seem to work fine.
This is a PITA on a shared system.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Okular-devel
mailing list