Bug 1321987

Summary: Clipboard history is *world* readable
Product: [Fedora] Fedora Reporter: Imran Hussain <imranh>
Component: clipitAssignee: Nikos Roussos <comzeradd>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 23CC: comzeradd
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-04 20:45:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Imran Hussain 2016-03-29 14:09:31 UTC 
Description of problem:
This clipboard manager stores history in a file in the users homedir, ~/.local/share/clipit/history however the permission on this file are defaulted to 644 (-rw-r--r--), which means anyone on the machine can read a users clipboard history.

If people are using password managers where it involves you copying a password temporarily then this causes a huge security risk.


How reproducible:
Steps to Reproduce:
1. dnf install -y clipit
2. Enable it and use it
3. Copy a password
4. Log in as another user
5. # strings ~foo/.local/share/clipit/history

Actual results:
Their clipboard history.

Expected results:
strings: /home/foo/.local/share/clipit/history: Permission denied


Additional info:
This is horrific in environments where there are multiple users.

Tested on: Fedora 22 and Fedora 23
Comment 1 Nikos Roussos 2016-03-29 14:28:20 UTC 
That's indeed not an hard thing to fix but on Fedora the user's home dir is created with permission that make it not readable by other users. So another user can't read /home/foo/.local/share/clipit/history because she already can't read /home/foo/