~/.Spark directory can be world writable and readable on linux


Spark keeps it configuration in the directory ~/.Spark. This directory and all of it’'s subdirectories are created with permission (777 & ~umask) and all of the files are permission (666 & ~umask). For most people their umask is set to 022 or 027. All the files in ~/.Spark are potentially readable including spark.properties which includes the users accounts and encrypted passwd, and the directories user//{contacts, vcards, transcripts, downloads}.

If the users umask allows writing by others then ~/.Spark/plugins will be writable which will allow malicious plugins to be installed without the knowledge of the user.

Spark should at least create ~/.Spark with pemission 700 and preferebly all files in ~/.Spark should use a umask of 077.

As a work around for right now I have added

umask 077

to the Spark shell scripts.