Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set better permission on .TelegramDesktop (CVE-2016-10351) #2666

Closed
asarubbo opened this issue Nov 23, 2016 · 8 comments · Fixed by #3842
Closed

Set better permission on .TelegramDesktop (CVE-2016-10351) #2666

asarubbo opened this issue Nov 23, 2016 · 8 comments · Fixed by #3842

Comments

@asarubbo
Copy link

Hello,

by default the .TelegramDesktop directory has 755:

drwxr-xr-x  4 ago  ago      4096 nov 23 14:30 .TelegramDesktop

I think would be great set it to 700 or 770.

While the main homedir has 755 (and it happens by default here), a local user can obtain the contents of .TelegramDesktop.

I did not investigate what a local user which obtain those files can eventually steal.
Thanks.

@auchri
Copy link
Contributor

auchri commented Nov 23, 2016

Use the template next time.

@auchri auchri added the linux label Nov 23, 2016
@stek29
Copy link
Collaborator

stek29 commented Nov 23, 2016

@asarubbo I guess it can steal the authentication unless you have a local password enabled.

@asarubbo
Copy link
Author

Yes, if you copy the entire directory, when you will run telegram you will be already authenticated.

Is there a security label to set here?

@telegramdesktop telegramdesktop locked and limited conversation to collaborators Jan 2, 2017
@telegramdesktop telegramdesktop unlocked this conversation Jun 7, 2017
@auchri auchri changed the title set better permission on .TelegramDesktop Set better permission on .TelegramDesktop (CVE-2016-10351) Jun 7, 2017
@auchri auchri added the bug label Jun 7, 2017
@asarubbo
Copy link
Author

asarubbo commented Jun 9, 2017

Update:

Now I have 1.1.7 and the folder .TelegramDesktop disappeared, but:

ago@wanheda ~ $ find . -type d -iname "*telegram*"
./.local/share/TelegramDesktop
ago@wanheda ~ $ ls -la ./.local/share/TelegramDesktop
total 73728
drwxr-xr-x  4 ago ago     4096 giu  9 08:53 .
ago@wanheda ~ $ su test
Password:
test@wanheda ~ $ ls -la /home/ago/.local/share/TelegramDesktop/
total 73728
drwxr-xr-x  4 ago ago     4096 giu  9 08:53 .
drwxr-xr-x 34 ago ago     4096 giu  7 10:13 ..
drwxr-xr-x  2 ago ago     4096 mag 27 18:04 fontconfig
-rw-r--r--  1 ago ago     4030 giu  9 09:15 log.txt
drwxr-xr-x  5 ago ago     4096 giu  9 08:53 tdata
-rwxr-xr-x  1 ago ago 75282056 mag 16 16:55 Telegram
-rwxr-xr-x  1 ago ago   190881 mag 16 16:55 Updater

@stek29
Copy link
Collaborator

stek29 commented Jun 9, 2017

@asarubbo If you start Telegram as user test and copy .local/share/TelegramDesktop to ~test would you be logged in?

@asarubbo
Copy link
Author

asarubbo commented Jun 9, 2017

of course...

@xuzhao9
Copy link

xuzhao9 commented Aug 7, 2017

Any progress on this issue? Can we just solve this problem by setting the permission to 700?

@github-actions
Copy link

github-actions bot commented Mar 8, 2021

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 8, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants