Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

If $HOME doesn't exist, don't create it with 0777 permissions #1145

Open
iamed2 opened this issue Feb 12, 2024 · 0 comments
Open

If $HOME doesn't exist, don't create it with 0777 permissions #1145

iamed2 opened this issue Feb 12, 2024 · 0 comments
Labels
security Pull requests that address a security vulnerability

Comments

@iamed2
Copy link

iamed2 commented Feb 12, 2024

Experienced during #1144

I recognize this is app_dirs2 defaults taking effect, but perhaps this is something where the defaults should be avoided or worked around (e.g. bail if app_dirs2::get_app_root returns a directory that doesn't exist). It is unexpected for a document generation program to create a globally-writeable home directory, which may silently reduce security by allowing any other program running as any user to manipulate the behaviour of programs running as the user that ran Tectonic.

Implementing #1144 would allow people to avoid this situation in other ways.
@CraftSpider CraftSpider added the security Pull requests that address a security vulnerability label Feb 12, 2024
@rm-dr rm-dr mentioned this issue Feb 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iamed2 @CraftSpider