487188 – /tmp/closeditems directory with fixed name used - problems with multiple users and potential security issues

Bug 487188 - /tmp/closeditems directory with fixed name used - problems with multiple users and potential security issues

Summary: /tmp/closeditems directory with fixed name used - problems with multiple user...

Status:	RESOLVED FIXED

Alias:	None

Product:	konqueror
Classification:	Applications
Component:	general (show other bugs)
Version:	Git
Platform:	Other Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-05-18 14:56 UTC by Jonathan Marten
Modified:	2024-05-26 07:59 UTC (History)
CC List:	0 users

See Also:
Latest Commit:	https://invent.kde.org/network/konqueror/-/commit/da583c03d85274586925dd3a9cd3e5c2a63affeb
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Jonathan Marten 2024-05-18 14:56:55 UTC

SUMMARY

Konqueror creates and uses a temporary directory "/tmp/closeditems" which appears to be used when closing Konqueror windows, although while Konqueror is running and after it has exited it contains only empty files.  However, using a directory with a fixed name in a world accessible directory causes two potential problems:

1.  The directory persists with the ownership of the user who first created it, with 755 permissions.  If another user uses the system without rebooting, either as a second user session or after the first user has logged out, they will not have permission to write into this directory and a message appears when they close any Konqueror window:

konqueror KConfigIniBackend::writeConfig: Couldn't create a new file: "/tmp/closeditems/_1.8" . Error: "Permission denied"

2.  Creating anything in /tmp with a predictable name opens up potential security problems via symlink attacks.

STEPS TO REPRODUCE
1.   Starting from a clean boot, log in as one user and use Konqueror.
2.   Log out, observe that the directory /tmp/closeditems has been created.
3.   Log in as a different user, use Konqueror again
4.   Observe the error log message as above when closing a window.

EXPECTED RESULT

Konqueror should create temporary files in either the user cache directory (QStandardPaths::CacheLocation), or in the /tmp directory using QTemporaryFile/QTemporaryDir for safety.

SOFTWARE/OS VERSIONS
KDE Plasma Version: 6.0.80
KDE Frameworks Version: 6.2.0
Qt Version: 6.7.0

Comment 1 Bug Janitor Service 2024-05-19 10:49:15 UTC

A possibly relevant merge request was started @ https://invent.kde.org/network/konqueror/-/merge_requests/331

Comment 2 Stefano Crocco 2024-05-26 07:59:34 UTC

Git commit da583c03d85274586925dd3a9cd3e5c2a63affeb by Stefano Crocco.
Committed on 26/05/2024 at 07:59.
Pushed by stefanocrocco into branch 'master'.

Fix and simplify KonqClosedWindowsManager class

Since there's only one Konqueror instance, regardless of the number of
windows, remove all the code used to synchronize closed windows information
between instances. Also, use a QTemporaryFile instead of files in
closditems directory to store temporary information about closed windows.

M  +0    -47   src/konqcloseditem.cpp
M  +0    -35   src/konqcloseditem.h
M  +11   -208  src/konqclosedwindowsmanager.cpp
M  +5    -38   src/konqclosedwindowsmanager.h
M  +1    -6    src/konqundomanager.cpp

https://invent.kde.org/network/konqueror/-/commit/da583c03d85274586925dd3a9cd3e5c2a63affeb