Intuitively the global list, stored at /etc/qubes/always-open-in-disp.vm, should only be editable by the root user.
This prevents a problem however, as even though we are able to read the file as our normal user, we are unable to place an inotify watch on the file, as this requires write permissions.
So the solution is to place more lax permissions on the global rules list. Doing so is not actually a concern however, as the local rules list is similarly editable by the user (so that they can mark folders as untrusted) and if you can edit the local rules list, the ability to edit the global rule list gives you no further power (and will reset after the VM is powered off anyways).
Thus, when we create the rules lists in default templates, give them at least 666/rw- permissions.
Intuitively the global list, stored at
/etc/qubes/always-open-in-disp.vm, should only be editable by the root user.This prevents a problem however, as even though we are able to read the file as our normal user, we are unable to place an
inotifywatch on the file, as this requires write permissions.So the solution is to place more lax permissions on the global rules list. Doing so is not actually a concern however, as the local rules list is similarly editable by the user (so that they can mark folders as untrusted) and if you can edit the local rules list, the ability to edit the global rule list gives you no further power (and will reset after the VM is powered off anyways).
Thus, when we create the rules lists in default templates, give them at least
666/rw-permissions.