https://bugzilla.suse.com/show_bug.cgi?id=1211374 https://bugzilla.suse.com/show_bug.cgi?id=1211374#c15 --- Comment #15 from Matthias Gerstner <matthias.gerstner@suse.com> --- Sorry to warm this up again, but looking into the D-Bus API once more, I see that it _still_ allows to open arbitrary JSON files. This still works through the `appid` argument: gdbus call -y -d org.desktopspec.ConfigManager -o / \ -m org.desktopspec.ConfigManager.acquireManager \ /../../../../../../../var/lib/nobody myfile myfile This results in the following strace calls in the daemon: [pid 3856] access("/usr/share/dsg/configs//../../../../../../../var/lib/nobody/myfile.json", F_OK) = 0 [pid 3856] openat(AT_FDCWD, "/usr/share/dsg/configs//../../../../../../../var/lib/nobody/myfile.json", O_RDONLY|O_CLOEXEC) = 8 Apart from this I wonder why the daemon user's home directory is world-readable: $ ls -lhd /var/lib/dde-dconfig-daemon drwxr-xr-x 6 dde-dconfig-daemon dde-dconfig-daemon 4.0K May 2 11:45 /var/lib/dde-dconfig-daemon Also the home directory contains the skeleton entries: $ find /var/lib/dde-dconfig-daemon dde-dconfig-daemon/ dde-dconfig-daemon/.bashrc dde-dconfig-daemon/.local dde-dconfig-daemon/.local/share dde-dconfig-daemon/.local/share/fonts dde-dconfig-daemon/.local/bin dde-dconfig-daemon/.local/state dde-dconfig-daemon/bin dde-dconfig-daemon/.emacs dde-dconfig-daemon/.bash_history dde-dconfig-daemon/.config dde-dconfig-daemon/.profile dde-dconfig-daemon/.inputrc dde-dconfig-daemon/.i18n dde-dconfig-daemon/.xim.template dde-dconfig-daemon/.cache dde-dconfig-daemon/.cache/deepin dde-dconfig-daemon/.cache/deepin/dde-dconfig-daemon dde-dconfig-daemon/.cache/deepin/dde-dconfig-daemon/dde-dconfig-daemon.log I'm not sure how that happens, but it is unclean. This is a service user that should not have these skeleton files or any other regular home directory data. The ".cache" directory has mode 0700 at least, so the log file found in there won't be world-readable at least. Please address the remaining D-Bus issue, also have a look into acquireManagerV2 if it contains any such problems. Also have a look into the home directory curiosity, if it can be improved. -- You are receiving this mail because: You are on the CC list for the bug.