information leakage by kdecache when using encrypted home
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| kde4libs (Ubuntu) |
Confirmed
|
Low
|
Unassigned | ||
Bug Description
Binary package hint: kdebase
KDE uses several directories outside $HOME to store "temporary" files. This may unpleasantly surprise users who choose to encrypt their home directory (using ecryptfs) and expect their data to be protected.
According to http://
1. /var/tmp/
2. /tmp/kde-$USER/
3. /tmp/ksocket-$USER/
#1 is particularly problematic since /var/tmp is not cleaned upon reboot and stores HTTP cache, thumbnails of viewed images, etc. However, fixing it is quite easy: just set KDEVARTMP to $XDG_CACHE_HOME (or $HOME/.cache/ if $XDG_CACHE_HOME is unset). This probably is only needed for users who encrypt their home directories.
I don't know how #2 is used. It's empty on my system. Probably, leaving it as is is OK because it provides the same guaranties to user as a standard /tmp (e.g. cleanup upon normal boot, but allowing external examination, e.g. from live cd). At least if some decision is made regarding #2 it should expand to whole /tmp, not just KDE's files.
#3 is probably safe since it should only contain named sockets.
| visibility: | private → public |
| Changed in kdebase (Ubuntu): | |
| status: | New → Triaged |
| importance: | Undecided → Low |
| affects: | kdebase (Ubuntu) → kde4libs (Ubuntu) |
| tags: | added: encriprion |
| tags: |
added: encription removed: encriprion |
| Changed in kde4libs (Ubuntu): | |
| status: | Triaged → Confirmed |
| Overkordbaever (overkordbaever) wrote | #1 |
| tags: |
added: encryption removed: encription |
As of Kubuntu 13.10, this bug is still present