Bug 17306

Summary: world-readable history: ~/.recently-used.xbel
Product: ALT Linux Lite Reporter: Ivan Zakharyaschev <imz>
Component: securityAssignee: Anton V. Boyarshinov <boyarsh>
Status: NEW --- QA Contact: Andrey Cherepanov <cas>
Severity: normal    
Priority: P2    
Version: 4.0.2   
Hardware: all   
OS: Linux   
Bug Depends on:    
Bug Blocks: 17310    

Description Ivan Zakharyaschev 2008-09-24 00:46:59 MSD
evince-gtk-2.20.1-alt0.M40.5 from Lite 4.0.3

I consider the conventional policy towards history files is not to make them world-readable. (Example: ~/.bash_history is not world-readable.)

But the file ~/.recently-used.xbel which tracks evince's history is made world-readable:

$ l .recently-used.xbel 
-rw-r--r-- 1 imz imz 3984 Сен 23 23:15 .recently-used.xbel
$ 

Proof that it's evince's history:

$ head -30 .recently-used.xbel 
<?xml version="1.0" encoding="UTF-8"?>
<xbel version="1.0"
      xmlns:bookmark="http://www.freedesktop.org/standards/desktop-bookmarks"
      xmlns:mime="http://www.freedesktop.org/standards/shared-mime-info"
>
  <bookmark href="file:///home/imz/Desktop/winDesktop/textBS.pdf" added="2008-08-07T00:07:20Z" modified="2008-08-07T00:25:42Z" visited="2008-08-07T00:07:20Z">
    <info>
      <metadata owner="http://freedesktop.org">
        <mime:mime-type type="application/pdf"/>
        <bookmark:applications>
          <bookmark:application name="Evince ― просмотр документов" exec="&apos;evince %u&apos;" timestamp="1218068742" count="2"/>
        </bookmark:applications>
      </metadata>
    </info>
  </bookmark>
  <bookmark href="file:///usr/share/doc/gutenprint-5.0.2/gutenprint-users-manual.pdf" added="2008-08-07T00:28:02Z" modified="2008-08-07T00:28:02Z" visited="2008-08-07T00:28:02Z">
    <info>
      <metadata owner="http://freedesktop.org">
        <mime:mime-type type="application/pdf"/>
        <bookmark:applications>
          <bookmark:application name="Evince ― просмотр документов" exec="&apos;evince %u&apos;" timestamp="1218068882" count="1"/>
        </bookmark:applications>
      </metadata>
    </info>
  </bookmark>
  <bookmark href="file:///home/imz/a.pdf" added="2008-08-07T00:35:14Z" modified="2008-09-23T19:15:29Z" visited="2008-08-07T00:35:14Z">
    <info>
      <metadata owner="http://freedesktop.org">
        <mime:mime-type type="application/pdf"/>
        <bookmark:applications>
$
Comment 1 Ivan Zakharyaschev 2008-09-24 03:12:27 MSD
I don't know who is responsible for writing to this file: not only evince, but also the calls of Gimp are stored in this file.
Comment 2 Ivan Zakharyaschev 2008-09-24 04:16:27 MSD
Reassigning since I don't know which package is responsible.