> On Jan. 8, 2017, 4:09 p.m., David Faure wrote: > > pam_kwallet.c, line 422 > > <https://git.reviewboard.kde.org/r/129526/diff/1/?file=486385#file486385line422> > > > > trailing spaces > > Damjan Georgievski wrote: > > according to http://standards.freedesktop.org/basedir-spec/latest/, one > is supposed to check permissions > > I don't see it in the specs, and it says: „The directory MUST be owned by > the user, and he MUST be the only one having read and write access to it. Its > Unix access mode MUST be 0700.“ - but it might be a sensible thing to check > (although there are race conditions in checking and only trying to use it > later). > > > trailing spaces > > ughh, what do I do now, "Update diff"?
Yes, these "MUST" are exactly what I meant the code is supposed to check before using XDG_RUNTIME_DIR :) I'm confused by your reply, you say "I don't see it in the spec" and then you quote exactly what I am referring to. There is no race condition in checking for "I own it and it's 0700" before using, because this can only change if root intervenes, another user cannot do anything about a dir that he doesn't own and that is 0700. And if root is compromised, all is lost anyway ;) - David ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/129526/#review101873 ----------------------------------------------------------- On Jan. 8, 2017, 4:59 p.m., Damjan Georgievski wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://git.reviewboard.kde.org/r/129526/ > ----------------------------------------------------------- > > (Updated Jan. 8, 2017, 4:59 p.m.) > > > Review request for KDE Frameworks. > > > Bugs: 365722 > https://bugs.kde.org/show_bug.cgi?id=365722 > > > Repository: kwallet-pam > > > Description > ------- > > Most recent Linux distributions setup a per-user XDG_RUNTIME_DIR as a tmpfs, > which is also tied to their session lifecycle. Typically this is in > /run/user/1000/. > > My suggestion is to use $XDG_RUNTIME_DIR/kwallet5.socket if XDG_RUNTIME_DIR > exists, or fallback to /tmp/kwallet5_${username}.socket if it doesn't. > > Reproducible: Always > > > Diffs > ----- > > pam_kwallet.c 809ab9a > > Diff: https://git.reviewboard.kde.org/r/129526/diff/ > > > Testing > ------- > > > Thanks, > > Damjan Georgievski > >
