[Libreoffice-bugs] [Bug 122149] Libreoffice gives access to the same file (for other Users) with a different UID/GID in Servermode

bugzilla-daemon at bugs.documentfoundation.org bugzilla-daemon at bugs.documentfoundation.org
Mon Jan 7 05:35:29 UTC 2019


https://bugs.documentfoundation.org/show_bug.cgi?id=122149

--- Comment #1 from Nadi Sanli <darkangelofworld at gmail.com> ---
Here is a Use case to understand the Problem a little bit better:

There are two Users. Max (who created the file) and Tom (who wants to change
the File)

Max was able to change the lo-file into a pdf via servermode:

unoconv -c "socket,host=127.0.0.1,port=18888;urp;StarOffice.ComponentContext"
file.odt 
----

After this Tom wants to overwrite the pdf. So he changed the rights to 

-rw--w---- 1 nsanli nsanli 49689 Jan 18 15:00 file.odt

and was able to overwrite the old pdf with

"socket,host=127.0.0.1,port=18888;urp;StarOffice.ComponentContext"
/home/Max/file.odt

-----

And also after Tom has changed the rights to:

-rw------- 1 Max Max 49689 Jan 18 15:00 file.odt
-rw------- 1 Max Max 91699 Jan 18 15:06 file.pdf

Tom was able to overwrite both files and the files are still owned by Max who
hasn't touched them anymore.


So it's possible for Tom to make changes in the name from Max. Without max
knowing that he made this changes.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20190107/6c3067b7/attachment.html>


More information about the Libreoffice-bugs mailing list