Ubuntu 18.04.1 and below: Information disclosure through world readable by default home directory permissions

Bug #1790377 reported by Bugfinder
This bug report is a duplicate of:  Bug #48734: Home permissions too open. Edit Remove
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shadow (Ubuntu)
New
Undecided
Unassigned

Bug Description

1)Ubuntu 18.04.1
2)package passwd 4.5-1ubuntu1 (shadow)
3)Expected default home directory permissions of 0700 (no one should be able to read anyone else's files - probably required by European GDPR and others).

4) Home directory permissions of the first created user (potential root via sudo) on fresh Ubuntu 18.04.1 installation are 0755 (world read and executable).

useradd -m NEWUSER also creates home directories with 0755 permissions (rx by world).

Creating a new User via GUI also creates home directories with 0755 permissions (rx by world).

GUI unfortunately creates Documents, Music, Videos, ... with world readable permissions too (another OS I have seen insecure home directory permissions too, but there at least the subfolders did not have world readable permissions).

Thus every local user can read files created by other local users (security type "Loss of Privacy"). That there are other ways to read non-encrypted files is no excuse for such open permissions.

If i.e. this was a web server and Apache is badly configured it could be used to remotely read confidential information without valid credentials too (increases risk and exploitability).

Revision history for this message
Bugfinder (sysadmin-htl-leonding) wrote :

Seems that I had viewed another bug report and launchpad ignored chosen shadow package.

affects: d-conf (Ubuntu) → shadow (Ubuntu)
Revision history for this message
Bugfinder (sysadmin-htl-leonding) wrote :

I tested now that UMASK in /etc/login.defs controls home directory creation umask (but unfortunately possible other umasks too).

Maybe there should be an own UMASK value used only for home directory creation, which should have a more secure default (077) especially for the first created user.

Revision history for this message
Bugfinder (sysadmin-htl-leonding) wrote :

Sorry that I hadn't noticed your home folder policy as stated in https://wiki.ubuntu.com/SecurityTeam/Policies

GUI respects /etc/adduser.conf setting.

useradd doesn't (useradd != adduser, I know).

In my opinion home folders shouldn't be world readable (why does GUI create a public folder in one's home directory if everybody can read everything?).

On macOS subfolders like Documents, Music, ... aren't world readable (and in my opinion the entire home folder shouldn't be world readable, there should be a separate public folder somewhere outside of the home folder if someone really wants to use it).

Revision history for this message
Bugfinder (sysadmin-htl-leonding) wrote :

As other OS safeguard non-public folders, GDPR requires "privacy as default" and security issues in server software could raise public information disclosure problems using the current default settings, I think you should reconsider your policy again.

Alex Murray (alexmurray)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.