Description of problem: "tracker" leaks information in several ways. First, it is quite "verbose" in regards to what is logged in /var/log/messages to the point that file content lands there. See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754907 Second, since "tracker" scans the user $HOME, if ~/Private is mounted (after login), the content is indexed, possibly leaked into /var/log/messages, and stored insecurely in the "tracker" DB. Version-Release number of selected component (if applicable): tracker-1.2.5-1.fc21.x86_64 How reproducible: Always Steps to Reproduce: There are no steps, it just happens, since "tracker" is installed due to dependencies of "nautilus" and "brasero" (at least). Actual results: User private information is spread around into the logs. User encrypted information (in ~/Private) is spread around and stored insecurely in the tracker DB. Expected results: "tracker" should *not* be installed per default. Each software using tracker should do it optionally. User should be informed of the risks of running tracker. There should be a method to disable the tool. See bug #747689 for this. Additional info:
*** This bug has been marked as a duplicate of bug 1148570 ***
Hi, sorry, but this is only partially a duplicate of #1148570. There are two issues here. One, as in #1148570, that data from files spam the logs. The second one, is that "tracker" collects data from ~/Private, which should not be done. AFAIK, correct me if I'm wrong, "tracker" scans file and fills a DB with information from those files. The DB is somewhere in ~/.local/share/tracker/, which is *not* encrypted. If "tracker" does its processing with data in ~/Private, then the purpose of having an encrypted folder is defeated. Note that full disk encryption is not really possible in a multi-user system and it is not really user friendly to put the "tracker" DB in the encrypted folder. So, "tracker" should *not* scan ~/Private, but, in general, it should not scan anything, unless the user *explicitly* ask for it. With all due warnings. Unless, of course, I missed something about the tool. Thanks, bye, pg
> So, "tracker" should *not* scan ~/Private, but, in general, it should not scan > anything, unless the user *explicitly* ask for it. With all due warnings. Where you found this? I mean that it should *not*
Hi, if someone put something in ~/Private, which is encrypted, it means he/she does not want someone else can access the data by any means. Of course, when the user is logged in, the ~/Private is mounted and the data is accessible, but otherwise it is not. If an indexer (like "tracker") scans ~/Private, collects information from there and then put it in a DB which is not encrypted, then the data (or part of it, or meta-data) is available plain-text to others (if or when they can access the folder, of course). This defeats the concept of having ~/Private in the first place. In general, it can also be that an user does not want to have some folder indexed or some files. So, logic suggests "tracker" should be opt in, not opt out. More specifically, once enabled, it should request the user to specify what to scan. Nevertheless, in this specific report, my concern is the fact than ~/Private can be not so private anymore, after "tracker" runs. Does it answer your question? Of course, again, maybe I miss something. bye, pg
I can't find info that tracker shouldn't scan ~/Private and can't find notes about this directory in XDG standards, then it's just enhancement.
Hi, sorry to disagree. This is a security problem, the XDG standard is obviously wrong or missing some information (and it does not replace good common sense). You if want, you could open a documentation bug report for XDG in order to enhance it properly. The reason while we have ~/Private is to keep the data private, if an external tool hinder this, then the tool has a bug. For example, being ~/Private a separate mount, it does not belong, as filesystem, to $HOME, hence there is no reason to scan it. This, BTW, happens with backup tools (or it should, at least). Finally, this is a serious issue, severity is "high" and priority "urgent", since it is security related. Could you, please, change it back to proper levels? Thanks, bye, pg
(In reply to Piergiorgio Sartor from comment #6) > Hi, > > sorry to disagree. > > This is a security problem, the XDG standard is obviously wrong or missing > some information (and it does not replace good common sense). > You if want, you could open a documentation bug report for XDG in order to > enhance it properly. Please report this bug to XDG, because I'm really not interested in this. > > The reason while we have ~/Private is to keep the data private, if an > external tool hinder this, then the tool has a bug. Who we? You? > > For example, being ~/Private a separate mount, it does not belong, as > filesystem, to $HOME, hence there is no reason to scan it. > This, BTW, happens with backup tools (or it should, at least). This is OK, because no XDG note about this directory. > > Finally, this is a serious issue, severity is "high" and priority "urgent", > since it is security related. > > Could you, please, change it back to proper levels? NO. > > Thanks, > > bye, > > pg
(In reply to Igor Gnatenko from comment #7) > (In reply to Piergiorgio Sartor from comment #6) > > Hi, > > > > sorry to disagree. > > > > This is a security problem, the XDG standard is obviously wrong or missing > > some information (and it does not replace good common sense). > > You if want, you could open a documentation bug report for XDG in order to > > enhance it properly. > Please report this bug to XDG, because I'm really not interested in this. It is not clear to me the whole discussion here. Are you the maintainer of "tracker" or somehow responsible for it? Does it play a role, as maintainer, if you're interested or not? What I understand, as "not interested", is that, for you, harassing the privacy of people is not a problem. Or I got it wrong? > > The reason while we have ~/Private is to keep the data private, if an > > external tool hinder this, then the tool has a bug. > Who we? You? Everybody, of course. Why otherwise someone developed ecrypts and the whole ~/Private thing? > > For example, being ~/Private a separate mount, it does not belong, as > > filesystem, to $HOME, hence there is no reason to scan it. > > This, BTW, happens with backup tools (or it should, at least). > This is OK, because no XDG note about this directory. That's not OK, this has nothing to do with what XDG says or not. If the "tracker" would delete files, would it be OK if XDG docs does not say anything about it? I guess not. Anyway, I think this discussion will never end, I apologize for the waste of your time, bye, pg
https://bugzilla.gnome.org/show_bug.cgi?id=742760