Description of problem: This clipboard manager stores history in a file in the users homedir, ~/.local/share/clipit/history however the permission on this file are defaulted to 644 (-rw-r--r--), which means anyone on the machine can read a users clipboard history. If people are using password managers where it involves you copying a password temporarily then this causes a huge security risk. How reproducible: Steps to Reproduce: 1. dnf install -y clipit 2. Enable it and use it 3. Copy a password 4. Log in as another user 5. # strings ~foo/.local/share/clipit/history Actual results: Their clipboard history. Expected results: strings: /home/foo/.local/share/clipit/history: Permission denied Additional info: This is horrific in environments where there are multiple users. Tested on: Fedora 22 and Fedora 23
That's indeed not an hard thing to fix but on Fedora the user's home dir is created with permission that make it not readable by other users. So another user can't read /home/foo/.local/share/clipit/history because she already can't read /home/foo/