dconf update can set incorrect permissions to dconf system db
My understanding is that the desired permissions of dconf system dbs under /etc/dconf/db/ are:
-rw-r--r--. 1 root root
I find that dconf update will only generate these desired permissions if the root account has a umask of 022. This is an assumption which is not always true.
Here are the permissions resulting from a few simple tests:
(umask 027 && dconf update)
generates files with permissionss -rw-r-----. 1 root root 104 Oct 3 17:06 local
Non root users cannot access the system db.
(umask 000 && dconf update)
generates files with permissionss -rw-rw-rw-. 1 root root 104 Oct 3 17:07 local
Everybody has write access to the system db.
I would suggest that this behaviour is a bug and that dconf update should not rely on the caller's umask but should instead set directly the system db permissions to -rw-r--r--
The tests were carried out on a Fedora 36 workstation with all users having a umask of 027.
I should also point out that dconf update sets incorrect SELinux contexts of unconfined_u:object_r:etc_t:s0
. It should be system_u:object_r:etc_t:s0
.