New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set better permission on .TelegramDesktop (CVE-2016-10351) #2666
Comments
|
Use the template next time. |
|
@asarubbo I guess it can steal the authentication unless you have a local password enabled. |
|
Yes, if you copy the entire directory, when you will run telegram you will be already authenticated. Is there a security label to set here? |
|
Update: Now I have 1.1.7 and the folder .TelegramDesktop disappeared, but: |
|
@asarubbo If you start Telegram as user test and copy |
|
of course... |
|
Any progress on this issue? Can we just solve this problem by setting the permission to 700? |
|
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Hello,
by default the .TelegramDesktop directory has 755:
I think would be great set it to 700 or 770.
While the main homedir has 755 (and it happens by default here), a local user can obtain the contents of .TelegramDesktop.
I did not investigate what a local user which obtain those files can eventually steal.
Thanks.
The text was updated successfully, but these errors were encountered: