From: Arvin Schnell Date: Thu, 10 Aug 2023 07:23:17 +0000 (+0200) Subject: - relax access to info.xml files X-Git-Tag: v0.10.6~4^2~1 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=487bb0e9012c91f66ca5652c06e729f51faef585;p=thirdparty%2Fsnapper.git - relax access to info.xml files --- diff --git a/doc/permissions.txt b/doc/permissions.txt new file mode 100644 index 00000000..431659ad --- /dev/null +++ b/doc/permissions.txt @@ -0,0 +1,34 @@ + +Distinguish to modi operandi: + +With DBus: + +- Access to snapshot metadata (info.xml) and filelist is takes care of + by snapperd. + +Without DBus: + +- In general only works when snapper is run by root. + + +File and directory permissions: + +The .snapshots directory must be readable by those allowed to work +with the snapper config. This is required even though the DBus +interface is used since some operations (e.g. diff and undochange) are +always done by snapper (not snapperd). + +snapper creates .snapshots with access only allowed for root. + +snapper can setup ACLs for access for .snapshots. + + +Giving users access to work with a snapper config may allow them to +see directory and file content in areas they would otherwise not be +allowed to see. + + +info.xml may be readable by all. Only writeable by root. + +filelists may be readable by all. Only writeable by root. + diff --git a/package/snapper.changes b/package/snapper.changes index 0b1c6e84..efa81bf8 100644 --- a/package/snapper.changes +++ b/package/snapper.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Aug 10 09:20:42 CEST 2023 - aschnell@suse.com + +- relax access to info.xml files (gh#openSUSE/snapper#279) + ------------------------------------------------------------------- Fri Jul 14 14:05:56 CEST 2023 - aschnell@suse.com diff --git a/snapper/Snapshot.cc b/snapper/Snapshot.cc index d408e1f3..ec2be924 100644 --- a/snapper/Snapshot.cc +++ b/snapper/Snapshot.cc @@ -556,6 +556,8 @@ namespace snapper SN_THROW(IOErrorException(sformat("SDir::mktemp failed, errno:%d (%s)", errno, stringerror(errno).c_str()))); + fchmod(fd, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + try { xml.save(fd);