- relax access to info.xml files

doc/permissions.txt

@@ -0,0 +1,34 @@
+
+Distinguish to modi operandi:
+
+With DBus:
+
+- Access to snapshot metadata (info.xml) and filelist is takes care of
+  by snapperd.
+
+Without DBus:
+
+- In general only works when snapper is run by root.
+
+
+File and directory permissions:
+
+The .snapshots directory must be readable by those allowed to work
+with the snapper config. This is required even though the DBus
+interface is used since some operations (e.g. diff and undochange) are
+always done by snapper (not snapperd).
+
+snapper creates .snapshots with access only allowed for root.
+
+snapper can setup ACLs for access for .snapshots.
+
+
+Giving users access to work with a snapper config may allow them to
+see directory and file content in areas they would otherwise not be
+allowed to see.
+
+
+info.xml may be readable by all. Only writeable by root.
+
+filelists may be readable by all. Only writeable by root.
+

package/snapper.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Thu Aug 10 09:20:42 CEST 2023 - aschnell@suse.com
+
+- relax access to info.xml files (gh#openSUSE/snapper#279)
+
 -------------------------------------------------------------------
 Fri Jul 14 14:05:56 CEST 2023 - aschnell@suse.com
 

snapper/Snapshot.cc

@@ -556,6 +556,8 @@ namespace snapper
 	    SN_THROW(IOErrorException(sformat("SDir::mktemp failed, errno:%d (%s)", errno,
 					      stringerror(errno).c_str())));
 
+	fchmod(fd, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
+
 	try
 	{
 	    xml.save(fd);