Bug 498648 (CVE-2009-1631) - CVE-2009-1631 evolution: insecure permissions on evolution mailbox folders
Summary: CVE-2009-1631 evolution: insecure permissions on evolution mailbox folders
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2009-1631
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-05-01 16:30 UTC by Vincent Danen
Modified: 2021-11-12 19:58 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-04 18:21:33 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
GNOME Bugzilla 581604 0 None None None Never

Description Vincent Danen 2009-05-01 16:30:23 UTC 
A Debian bug report [1] brought to light the fact that Evolution does not
create its data files with appropriate permissions.  Because of this, if user A
on a system uses Evolut ion for email, user B can read any of user A's email.
The default permissions for ~/.evolution is 0755, and the default permissions
for Evolution data files is 0644 (although s trangely enough the default
permissions for .index* files is 0600).

As well, by default in Fedora and RHEL5, a user's home directory has mode 0755 permissions. 

By contrast, Firefox creates ~/.mozilla/firefox as mode 0700, protecting user bookmarks and caches.

Evolution should probably create/enforce ~/.evolution being mode 0700.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526409
Comment 1 Jan Lieskovsky 2009-05-14 17:42:46 UTC 
CVE-2009-1631:

The Mailer component in Evolution 2.26.1 and earlier uses
world-readable permissions for the .evolution directory, and certain
directories and files under .evolution/ related to local mail, which
allows local users to obtain sensitive information by reading these
files. 

Upstream report:
http://bugzilla.gnome.org/show_bug.cgi?id=581604
Comment 2 Matthew Barnes 2009-05-18 14:56:01 UTC 
I'm not really convinced this is a security issue.  Once you open up your home directory to other users the game's over.  They can just as easily read personal financial spreadsheets or other sensitive data as they can my mail.
Comment 3 Vincent Danen 2009-05-19 16:55:00 UTC 
Note that the defaults in RHEL5 and Fedora are to create home directories mode 0755, so this is an issue by default.  This isn't a user opening up their home directory; we create them opened up.

This probably wouldn't be an issue if home directories were mode 0700 by default and then the user had to relax permissions manually, but since we do this for them, I would consider it a security issue.
Comment 4 Vincent Danen 2009-05-26 17:59:53 UTC 
Hmmm... I'm looking into this further and I may be mistaken, but I can't account for why some of my home directories are mode 0755 on various systems.  Taking a look at using useradd on RHEL3, 4, and 5 shows new users have home directories mode 0700 by default, and likewise on Fedora 11.  On a Fedora 10 install where the home directory was mode 0755, using useradd and also system-config-user to create a new user creates them with mode 0700 permissions.

So I agree with Matthew on this issue, it's not a security issue by default and if a user intentionally opens up their home directory, they should take care to chmod 700 ~/.evolution/ if they want to keep the data private.

This may make for a good enhancement for future Evolution packages or, better yet, something that upstream would take into account (since some files are protected while others are not).  Activity on the upstream bug report is non-existent.
Comment 6 Matthew Barnes 2009-05-26 20:19:50 UTC 
(In reply to comment #4)
> This may make for a good enhancement for future Evolution packages or, better
> yet, something that upstream would take into account (since some files are
> protected while others are not).  Activity on the upstream bug report is
> non-existent.  

Certainly it's a valid bug.  We should be creating ~/.evolution with 0700 permissions.  Not sure if it's worth enforcing this for existing installs.

I'm an upstream maintainer, so I'll try to get this taken care of for the next upstream stable and development releases.
Comment 7 Vincent Danen 2009-05-26 22:02:59 UTC 
Yeah, I think on Evolution's first run it would probably be enough to create ~/.evolution as 0700 and maybe do permission checks on startup or something to enforce it.  I don't believe it's necessary to drill down and set umasks or anything (as suggested in the Debian bug report).

And no, I agree that this may not be worth the effort for existing installs as a mode 0755 home directory should not be default.  At the very best this is a low impact issue, and we could possibly defer it for future inclusion in an Evolution update if upstream agrees this is the way to go.

Thanks, Matthew.
Comment 11 Vincent Danen 2009-12-04 18:21:33 UTC 
Red Hat does not consider this to be a security issue.  By default, user home directories are created with mode 0700 permissions, which would not expose the ~/.evolution/ directory regardless of its own permissions.  If a user intentionally relaxes permissions on their home directory, they should be auditing all files and directories in order to not expose unwanted files to other local users.
Note You need to log in before you can comment on or make changes to this bug.