Skip to content
This repository has been archived by the owner on Jun 26, 2020. It is now read-only.

Set more restrictive permission on .nylas-mail #181

Closed
l2dy opened this issue Nov 29, 2017 · 5 comments
Closed

Set more restrictive permission on .nylas-mail #181

l2dy opened this issue Nov 29, 2017 · 5 comments

Comments

@l2dy
Copy link
Contributor

l2dy commented Nov 29, 2017

On macOS, by default the $HOME/.nylas-mail directory has 755 permission, so other users can use sqlite3 ~victim/.nylas-mail/shared.sqlite and select * from accounts; to retrieve my credentials.

A CVE was assigned for a similar vulnerability in Telegram Desktop, should I request a CVE for this issue?

@l2dy l2dy changed the title Set more restrictive permssion on .nylas-mail Set more restrictive permission on .nylas-mail Nov 29, 2017
@mikeseese
Copy link
Contributor

I guess I'm not sure what the impact of filing a CVE is? Just to alert people of security issues? If so then, I think it would be applicable here

@mikeseese
Copy link
Contributor

For devs looking into this, Mailspring has the same issue: Foundry376/Mailspring#375. The dev probably could kill two birds with one stone by apply the fix to both repos

nirmit added a commit to nirmit/nylas-mail that referenced this issue Dec 13, 2017
Fixes the directory permissions for the user directory to a more restricitive 700.

Fixes nylas-mail-lives#181
Source Foundry376/Mailspring/pull/418
mikeseese pushed a commit that referenced this issue Dec 14, 2017
Fixes the directory permissions for the user directory to a more restricitive 700.

Fixes #181
Source Foundry376/Mailspring/pull/418
@l2dy
Copy link
Contributor Author

l2dy commented Dec 29, 2017

This issue was assigned CVE-2017-1000485.

@nirmit
Copy link
Contributor

nirmit commented Jan 8, 2018

@l2dy - This is part of the alpha release 2.2.2-4alpha. Can you please help test it?

@l2dy
Copy link
Contributor Author

l2dy commented Jan 9, 2018

@l2dy - This is part of the alpha release 2.2.2-4alpha. Can you please help test it?

Thanks, the fix works on macOS.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants