Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3289 to the following vulnerability: The g_file_copy function in glib 2.0 sets the permissions of a target file to the permissions of a symbolic link (777), which allows user-assisted local users to modify files of other users, as demonstrated by using Nautilus to modify the permissions of the user home directory. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3289 http://www.openwall.com/lists/oss-security/2009/09/08/8 https://bugzilla.gnome.org/show_bug.cgi?id=593406 https://bugs.launchpad.net/ubuntu/+source/glib2.0/+bug/418135
This issue does NOT affect the versions of the glib2 package, as shipped with Red Hat Enterprise Linux 3, 4, or 5. This issue affects the versions of glib2 package, as shipped with Fedora 10 and 11. Please fix.
I think you mean glib2, not glib.
Trying in Fedora 14, this seems to be corrected. If you copy your own home folder (with 0700 perms) to /tmp, when the copy is complete, it has 0700 perms again. During the copy it has 0775 perms, but changes when the copying is done. I believe this issue has been corrected upstream: commit 48e0af0157f52ac12b904bd92540432a18b139c7 Author: Benjamin Otte <otte> Date: Tue Sep 1 21:26:08 2009 +0200 Bug 593406 - Permissions set to 777 after copying via Nautilus Only fail to set the permissions when the actual file is a symlink. The previous fix failed for every file when NOFOLLOW_SYMLINKS was set. Test on RHEL6 as well and the destination file/directory will have the same permissions as the source.