Bug 17309 - world-readable history: ~/.xmms/xmms.m3u
Summary: world-readable history: ~/.xmms/xmms.m3u
Status: CLOSED WONTFIX
Alias: None
Product: Branch 4.0
Classification: Distributions
Component: xmms (show other bugs)
Version: 4.0
Hardware: all Linux
: P2 normal
Assignee: Michael Shigorin
QA Contact: Q.A. 4.0
URL:
Keywords:
Depends on:
Blocks: 17310
  Show dependency tree
 
Reported: 2008-09-24 01:34 MSD by Ivan Zakharyaschev
Modified: 2008-09-24 19:38 MSD (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ivan Zakharyaschev 2008-09-24 01:34:47 MSD
xmms-1.2.11-alt3 from Lite 4.0.3

I assume the conventional policy towards history files is not to make them world-readable. (Example: ~/.bash_history is not
world-readable.)

But the file ~/.xine/xine-ui_old_playlist.tox which tracks the last played item is made world-readable:

$ l .xmms/xmms.m3u 
-rw-r--r-- 1 imz imz 119 Авг  2 20:26 .xmms/xmms.m3u
$ 

Proof that it stores bits of history:

$ cat .xmms/xmms.m3u 
#EXTM3U
#EXTINF:3,nature1
/home/imz/bugreports/ogg-xmms-crash/WIN/Documents and Settings/User/Ðàáî÷èé ñòîë/nature1.wav
$ 

Expected: it isn't world-readable. Good example: ~/.mc/history is not world-readable:

$ l .mc
итого 28
drwx------ 28 imz imz 4096 Сен 23 23:15 ../
drwxr-xr-x  3 imz imz 4096 Сен 23 22:56 ./
-rw-r--r--  1 imz imz  353 Сен 23 22:56 filepos
-rw-------  1 imz imz  521 Сен 23 22:56 history
-rw-r--r--  1 imz imz 3433 Сен 23 22:56 ini
-rw-r--r--  1 imz imz   35 Сен 23 22:56 Tree
drwx------  2 imz imz 4096 Авг  1 19:24 cedit/
$
Comment 1 Ivan Zakharyaschev 2008-09-24 01:42:06 MSD
The report should read:
 
But the file ~/.xmms/xmms.m3u which tracks the last played item is made world-readable.

Sorry for this cut-n-paste error!
Comment 2 Michael Shigorin 2008-09-24 19:37:59 MSD
It's not history, it's data.  As owner might trat that differently (and as $HOME is 0700 by default), I don't think it's worth bothering upstream rather than fixing it locally with chmod(1) -- feeling no real need for that myself.

Anyone concerned, please come with a patch. :)