[Libreoffice-bugs] [Bug 122149] Libreoffice gives access to the same file (for other Users) with a different UID/GID in Servermode
bugzilla-daemon at bugs.documentfoundation.org
bugzilla-daemon at bugs.documentfoundation.org
Thu Aug 15 09:11:35 UTC 2019
https://bugs.documentfoundation.org/show_bug.cgi?id=122149
Thomas Arendsen Hein <thomas at intevation.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |UNCONFIRMED
Ever confirmed|1 |0
--- Comment #5 from Thomas Arendsen Hein <thomas at intevation.de> ---
These are instructions to reproduce the problem here on Debian stretch,
package versions are:
- libreoffice 1:5.2.7-1+deb9u9
- unoconv 0.7-1.1
1. user1 creates /home/user1/file.odt with text "test"
2. user2 creates /home/user2/file.odt with text "secret",
only readable for user2 (chmod 600 file.odt)
3. user2 runs (on the same machine):
cd /home/user1
unoconv file.odt
-> this fails with a uno.IOException, but keeps a process
named "soffice.bin" running, which listens on port 2002
4. user1 runs (on the same machine):
cd /home/user2
unoconv file.odt
-> this creates a world-readable /home/user2/file.pdf owned
by user2. This way user1 can read "secret" in the pdf!
@Usama: Yes, unoconv is not part of libreoffice, but until I read your comment
we thought it just starts libreoffice in a certain way, so the problem is
caused by libreoffice. But now I think it rather is a unoconv issue, despite
the process being named "soffice.bin".
Should we move this bug report to the unoconv project?
(and even if it is not directly a libreoffice problem, can you reproduce it
using my instructions? If yes, with which versions of libreoffice and unoconv?)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20190815/54b590c8/attachment.html>
More information about the Libreoffice-bugs
mailing list