According to
https://wiki.debian.org/FreedomBox/Backups#radicale:
radicale
- Data: /var/lib/radicale/
* Format: Collections per user
* Ownership: radicale:radicale
* Permissions: 755 for directories, 644 for files
But on my system:
$ ls -ld /var/lib/radicale
drwxr-x--- 3 radicale radicale 4096 Mar 26 10:08 /var/lib/radicale
$ ls -l /var/lib/radicale/
drwxrwxrwx 3 radicale radicale 4096 Mar 26 10:08 collections
$ ls -l /var/lib/radicale/collections/
drwxrwxrwx 2 radicale radicale 4096 Mar 26 10:13 znoteer
$ ls -l /var/lib/radicale/collections/znoteer
-rw-rw-rw- 1 radicale radicale 20 Mar 26 10:08 ag_personnel.ics.props
-rw-rw-rw- 1 radicale radicale 54 Mar 26 10:13 caldav.props
I noticed this on a fresh install of Debian stable on which I immediately installed freedombox-setup, and then immediately installed Radicale, while trying to restore Radicale data saved from the dying SD card of my previous Freedombox.
None of my directories are 755 and neither of the data files are 644. The data files are surprisingly read/write by anyone. When I installed radicale I set it to keep all calendars readable and writable by their owners only.
Should I be concerned by the permissions on my system?
This is Debian stable installed on a sheevaplug following the instructions at cyrius.com