Home folder permissions

Bug #136743 reported by Carroarmato0 on 2007-09-02
This bug report is a duplicate of:  Bug #48734: Home permissions too open. Edit Remove
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Ubuntu
Wishlist
Unassigned

Bug Description

When installing a fresh installation of Ubuntu, the permissions for the home folder of the users are set to be accessed by anyone. In other words they are able to browse through your folders. This might be arguably a privacy or security issue. No other users should be able to view the users folders unless the user himself makes it so.

A workaround for this is by manually setting the home folders permissions to deny every action by others users. Only the user himself should have full access and actions while the users in his same group may have access to the files.

***UPDATE*** as of 11 August 2008

The situation is as following: by default, your "Home" folder is accessible by both "members" and "others".
The main idea is that you have a special folder called "Public" which is used for data sharing between other users on the same system.

Your "Desktop" folder does have the right permissions. But for people like me who like to keep a clear desktop, I move my folders directly in my account folder where the "Desktop" and "Public" folder lies. These folders however do not have the appropriate permissions set, and are (depending on previous assigned permissions) readable or worse.

You might think that it's not a big deal because the files aren't executable. Ever heard of spying? Sensible data can't be executed, but read. So I believe it's very important to inform people about that. I had to figure that out the hard way.

If it's not a physical user who sniffs around your stuff, it could be a virus that got lucky and hijacked an account with half administrative rights.

The gravity of the situation depends entirely on what kind of files are exposed (secret document.... friends phone numbers....secret girl friend pictures.... ) and their permissions.

This issue can be solved quite easily by..... I don't know..... make a dialogue box pop-up informing the users who want to store their files directly into their "Home" folder, that they need to pay close attention to their file's permissions, even if they are the only users of their system.

This could also affect Ubuntus derivatives.

Kees Cook (kees) wrote :

Hi! Thanks for your bug report. This is intentional in Ubuntu. We want to make it easy for users to share files and interact on the system. Privacy and security critical files should already have their permission bits managed by their associated applications.

Carroarmato0 (carroarmato0) wrote :

Update bug report (after a year, and now with more valid arguments :) )

description: updated
flaccid (chris-xhost) wrote :

Something like this as default:

~ should be 750
~/Public should be 755
~/Private should be the encrypted folder (optional)

(all owed by `whoami`)

I wouldn't want to see any quirks instead of secure default permission on ~

description: updated
Carroarmato0 (carroarmato0) wrote :

It seems that this blogger also noticed this potential privacy bug: http://www.admin-faq.cn/to-protect-files-between-users-in-ubuntu

Kees Cook (kees) wrote :

I'm closing this bug as "won't fix". The default for home directory permissions is intentional. To change this default, adjust /etc/adduser.conf's DIR_MODE setting.

JeSTeR7 (cblocker) wrote :

I cannot possibly imagine why this would intentionally be left as-is. If Ubuntu is to be taken seriously as a multiuser desktop OS, making the home folder private should be a high priority.

Carroarmato0 (carroarmato0) wrote :

Thankyou Kees Cook for the wiki link.

Luke Faraone (lfaraone) on 2010-03-14
security vulnerability: yes → no
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers