On Sun, 20 Aug 2017, at 10:35 AM, Tanu Kaskinen wrote: > On Fri, 2017-08-18 at 11:43 +0530, Arun Raghavan wrote: > > > > On Thu, 17 Aug 2017, at 10:54 PM, Tanu Kaskinen wrote: > > > It was reported that PulseAudio weakens the umask to 022 if it's > > > initially set to 077. That's not as big problem as it might seem, > > > but it's still a problem. The umask affects the permissions of the state > > > files, and those aren't readable by other users anyway in the per-user > > > mode, because PulseAudio puts them in directories that aren't > > > accessible to other users. In the system mode the state files will be > > > readable by everyone, though, even by those users that don't otherwise > > > have access to PulseAudio. The state files are slightly > > > privacy-sensitive, because they contain e.g. history of applications > > > that have used PulseAudio. > > > > > > I can't think of any use cases where access to the state files by other > > > users would be necessary, either in the per-user mode or in the system > > > mode, so let's use umask 077. This doesn't prevent access to any > > > sockets in the system mode, because all directories that PulseAudio > > > creates in the system mode will have permissions 755 regardless of the > > > umask, and the sockets themselves always have permissions 777. > > > > > > BugLink: https://bugs.freedesktop.org/show_bug.cgi?id=102060 > > > --- > > > src/daemon/main.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/src/daemon/main.c b/src/daemon/main.c > > > index f35252d06..9d99b8fe2 100644 > > > --- a/src/daemon/main.c > > > +++ b/src/daemon/main.c > > > @@ -888,7 +888,7 @@ int main(int argc, char *argv[]) { > > > > > > pa_set_env_and_record("PULSE_INTERNAL", "1"); > > > pa_assert_se(chdir("/") == 0); > > > - umask(0022); > > > + umask(0077); > > > > > > #ifdef HAVE_SYS_RESOURCE_H > > > set_all_rlimits(conf); > > > -- > > > > Patch itself looks good to me. I suggest waiting a bit in case someone > > has a use-case we have missed, and also making a note of this change for > > the 12.0 release. > > Sure, I'll add the change to the release notes. But do you mean version > 11 or 12? In IRC you said "Sounds okay as something for 11.0 (umask 077 > always)". I don't mind either way. Let's punt to 12, please. I'd like to get 11 out as soon as we resolve the Intel LPE HDMI thing. -- Arun
