From daf36ba2afab407c488c456952eecba16f79020e Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 8 Jun 2017 10:24:48 -0400
Subject: [PATCH] dir: Ensure ~/.local/share/flatpak is 0700

This goes into a big old topic about Unix homedir permissions; it's not uncommon
for general purpose OS vendors to have homedirs be 0755. In that case,
applications need to ensure confidentiality for data requiring it (classically
e.g. `~/.ssh`) by making the dirs `0700`.

While most of the data in the flatpak per-user dir probably isn't confidential
(debatably) we have a different issue; if container content includes suid or
world-writable files/dirs, then having that data accessible to other users
is obviously problematic.

We're going to fix flatpak/ostree to not create files with those modes
to begin with, but this simple fix closes off the attack route for
the per-user directory.

A different fix will be necessary for the system-wide repo.

See: https://github.com/flatpak/flatpak/pull/837
---
 common/flatpak-dir.c | 39 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 38 insertions(+), 1 deletion(-)

diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 85b432dd..959e64b1 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -1347,7 +1347,44 @@ flatpak_dir_ensure_path (FlatpakDir   *self,
                          GCancellable *cancellable,
                          GError      **error)
 {
-  return flatpak_mkdir_p (self->basedir, cancellable, error);
+  /* In the system case, we use default perms */
+  if (!self->user)
+    return flatpak_mkdir_p (self->basedir, cancellable, error);
+  else
+    {
+      /* First make the parent */
+      g_autoptr(GFile) parent = g_file_get_parent (self->basedir);
+      if (!flatpak_mkdir_p (parent, cancellable, error))
+        return FALSE;
+      glnx_fd_close int parent_dfd = -1;
+      if (!glnx_opendirat (AT_FDCWD, flatpak_file_get_path_cached (parent), TRUE,
+                           &parent_dfd, error))
+        return FALSE;
+      g_autofree char *name = g_file_get_basename (self->basedir);
+      /* Use 0700 in the user case to neuter any suid or world-writable
+       * bits that happen to be in content; see
+       * https://github.com/flatpak/flatpak/pull/837
+       */
+      if (mkdirat (parent_dfd, name, 0700) < 0)
+        {
+          if (errno == EEXIST)
+            {
+              /* And fix up any existing installs that had too-wide perms */
+              struct stat stbuf;
+              if (fstatat (parent_dfd, name, &stbuf, 0) < 0)
+                return glnx_throw_errno_prefix (error, "fstatat");
+              if (stbuf.st_mode & S_IXOTH)
+                {
+                  if (fchmodat (parent_dfd, name, 0700, 0) < 0)
+                    return glnx_throw_errno_prefix (error, "fchmodat");
+                }
+            }
+          else
+            return glnx_throw_errno_prefix (error, "mkdirat");
+        }
+
+      return TRUE;
+    }
 }
 
 /* Warning: This is not threadsafe, don't use in libflatpak */