Screenshot should not use /tmp/out.png (denial of service)
schauveau opened this issue · 1 comments
In the current screenshot portal implementation the image file is hard-coded to /tmp/out.png
This is problematic for multiple reasons:
First, the file is created with the default permissions rw-r--r-- and so is readable by all users. It should be set to rw-------
Second, if /tmp/out.png already exists and is owned by another user then it can not be removed (because of the sticky flag of /tmp) and so the screenshot portal fails. Simply speaking, denial of service can be achieved by other users with a simple touch /tmp/out.png or by 'forgetting' to delete the screenshot file after use.
Unfortunately, the portal documentation https://flatpak.github.io/xdg-desktop-portal/docs/doc-org.freedesktop.portal.Screenshot.html does not explicitly states that the screenshot client is responsible for deleting the file after use so it can be argued whether each screenshot filenames should be unique. Imho, the fact that xdg-desktop-portal is exporting the file to containers using the flag DOCUMENT_FLAG_DELETABLE is a good hit that the client is expected to remove the file after use and so should have a unique name.
To conclude, the file should be created with permissions rw------- and its name should be something like /tmp/wlr-screenshot-$UID.png or /tmp/wlr-screenshot-$UID-XXXXXX.png where XXXXXX is randomized (as in man 3 mktemp).