Bug 1321987 - Clipboard history is *world* readable
Summary: Clipboard history is *world* readable
Alias: None
Product: Fedora
Classification: Fedora
Component: clipit
Version: 23
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Nikos Roussos
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2016-03-29 14:09 UTC by Imran Hussain
Modified: 2016-06-04 20:45 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-06-04 20:45:11 UTC
Type: Bug

Attachments (Terms of Use)

Description Imran Hussain 2016-03-29 14:09:31 UTC
Description of problem:
This clipboard manager stores history in a file in the users homedir, ~/.local/share/clipit/history however the permission on this file are defaulted to 644 (-rw-r--r--), which means anyone on the machine can read a users clipboard history.

If people are using password managers where it involves you copying a password temporarily then this causes a huge security risk.

How reproducible:
Steps to Reproduce:
1. dnf install -y clipit
2. Enable it and use it
3. Copy a password
4. Log in as another user
5. # strings ~foo/.local/share/clipit/history

Actual results:
Their clipboard history.

Expected results:
strings: /home/foo/.local/share/clipit/history: Permission denied

Additional info:
This is horrific in environments where there are multiple users.

Tested on: Fedora 22 and Fedora 23

Comment 1 Nikos Roussos 2016-03-29 14:28:20 UTC
That's indeed not an hard thing to fix but on Fedora the user's home dir is created with permission that make it not readable by other users. So another user can't read /home/foo/.local/share/clipit/history because she already can't read /home/foo/

Note You need to log in before you can comment on or make changes to this bug.