Created attachment 46255 [details] [review]
We currently create it with 0755 permissions, which is wrong. The spec clearly says "If, when attempting to write a file, the destination directory is non-existant an attempt should be made to create it with permission 0700."
I'm wondering if we should fix the permissions for existing account. The spec mentions "If the destination directory exists already the permissions should not be changed.", but I'm afraid that many apps might be doing the same mistake so it might be worth just forcing this? Especially as some apps put passwords in XDG_CONFIG_HOME. Same thing for XDG_DATA_HOME, for which we could also fix the permissions at the same time...
I applied the patch, and will be doing a release with it.
I'm not sure we should be modifying the permissions though...