Make the root directory of the persistence non-world-readable
Originally created by @intrigeri on #7465 (Redmine)
Things like #7443 (closed) would not be an issue if
/live/persistence/TailsData_unlocked/
had e.g. permissions 0770. What
prevents us from doing this?
The dotfiles feature, however,
requires the amnesia
user to at least have x
access to this directory, which we could grant via ACLs.
Apart of that, the persistent directories are
bind-mounted to places that this user can read.
Related issues
- Related to #7443 (closed)
- Related to #14508