| 2007-09-02 10:52:53 |
Carroarmato0 |
bug |
|
|
added bug |
| 2007-09-04 16:20:45 |
Kees Cook |
None: importance |
Undecided |
Wishlist |
|
| 2007-09-04 16:20:45 |
Kees Cook |
None: assignee |
|
keescook |
|
| 2007-09-04 16:20:45 |
Kees Cook |
None: status |
New |
Won't Fix |
|
| 2008-08-11 13:52:20 |
Carroarmato0 |
description |
When installing a fresh installation of Ubuntu, the permissions for the home folder of the users are set to be accessed by anyone. In other words they are able to browse through your folders. This might be arguably a privacy or security issue. No other users should be able to view the users folders unless the user himself makes it so.
A workaround for this is by manually setting the home folders permissions to deny every action by others users. Only the user himself should have full access and actions while the users in his same group may have access to the files. |
When installing a fresh installation of Ubuntu, the permissions for the home folder of the users are set to be accessed by anyone. In other words they are able to browse through your folders. This might be arguably a privacy or security issue. No other users should be able to view the users folders unless the user himself makes it so.
A workaround for this is by manually setting the home folders permissions to deny every action by others users. Only the user himself should have full access and actions while the users in his same group may have access to the files.
***UPDATE*** as of 11 August 2008
The situation is as following: by default, your "Home" folder is accessible by both "members" and "others".
The main idea is that you have a special folder called "Public" which is used for data sharing between other users on the same system.
Your "Desktop" folder does have the right permissions. But for people like me who like to keep a clear desktop, I move my folders directly in my account folder where the "Desktop" and "Public" folder lies. These folders however do not have the appropriate permissions set, and are (depending on previous assigned permissions) readable or worse.
You might think that it's not a big deal because the files aren't executable. Ever heard of spying? Sensible data can't be executed, but read. So I believe it's very important to inform people about that. I had to figure that out the hard way.
If it's not a physical user who sniffs around your stuff, it could be a virus that got lucky and hijacked an account with half administrative rights.
The gravity of the situation depends entirely on what kind of files are exposed (secret document.... friends phone numbers....secret girl friend pictures.... ) and their permissions.
This issue can be solved quite easily by..... I don't know..... make a dialogue box pop-up informing the users who want to store their files directly into their "Home" folder, that they need to pay close attention to their file's permissions, even if they are the only users of their system.
|
|
| 2008-08-11 13:52:20 |
Carroarmato0 |
name |
|
carroarmato0 |
|
| 2008-08-11 13:56:15 |
Carroarmato0 |
None: status |
Won't Fix |
Incomplete |
|
| 2008-08-11 14:02:43 |
Carroarmato0 |
description |
When installing a fresh installation of Ubuntu, the permissions for the home folder of the users are set to be accessed by anyone. In other words they are able to browse through your folders. This might be arguably a privacy or security issue. No other users should be able to view the users folders unless the user himself makes it so.
A workaround for this is by manually setting the home folders permissions to deny every action by others users. Only the user himself should have full access and actions while the users in his same group may have access to the files.
***UPDATE*** as of 11 August 2008
The situation is as following: by default, your "Home" folder is accessible by both "members" and "others".
The main idea is that you have a special folder called "Public" which is used for data sharing between other users on the same system.
Your "Desktop" folder does have the right permissions. But for people like me who like to keep a clear desktop, I move my folders directly in my account folder where the "Desktop" and "Public" folder lies. These folders however do not have the appropriate permissions set, and are (depending on previous assigned permissions) readable or worse.
You might think that it's not a big deal because the files aren't executable. Ever heard of spying? Sensible data can't be executed, but read. So I believe it's very important to inform people about that. I had to figure that out the hard way.
If it's not a physical user who sniffs around your stuff, it could be a virus that got lucky and hijacked an account with half administrative rights.
The gravity of the situation depends entirely on what kind of files are exposed (secret document.... friends phone numbers....secret girl friend pictures.... ) and their permissions.
This issue can be solved quite easily by..... I don't know..... make a dialogue box pop-up informing the users who want to store their files directly into their "Home" folder, that they need to pay close attention to their file's permissions, even if they are the only users of their system.
|
When installing a fresh installation of Ubuntu, the permissions for the home folder of the users are set to be accessed by anyone. In other words they are able to browse through your folders. This might be arguably a privacy or security issue. No other users should be able to view the users folders unless the user himself makes it so.
A workaround for this is by manually setting the home folders permissions to deny every action by others users. Only the user himself should have full access and actions while the users in his same group may have access to the files.
***UPDATE*** as of 11 August 2008
The situation is as following: by default, your "Home" folder is accessible by both "members" and "others".
The main idea is that you have a special folder called "Public" which is used for data sharing between other users on the same system.
Your "Desktop" folder does have the right permissions. But for people like me who like to keep a clear desktop, I move my folders directly in my account folder where the "Desktop" and "Public" folder lies. These folders however do not have the appropriate permissions set, and are (depending on previous assigned permissions) readable or worse.
You might think that it's not a big deal because the files aren't executable. Ever heard of spying? Sensible data can't be executed, but read. So I believe it's very important to inform people about that. I had to figure that out the hard way.
If it's not a physical user who sniffs around your stuff, it could be a virus that got lucky and hijacked an account with half administrative rights.
The gravity of the situation depends entirely on what kind of files are exposed (secret document.... friends phone numbers....secret girl friend pictures.... ) and their permissions.
This issue can be solved quite easily by..... I don't know..... make a dialogue box pop-up informing the users who want to store their files directly into their "Home" folder, that they need to pay close attention to their file's permissions, even if they are the only users of their system.
This could also affect Ubuntus derivatives.
|
|
| 2008-08-14 19:47:35 |
Carroarmato0 |
None: status |
Incomplete |
Confirmed |
|
| 2008-09-09 23:51:56 |
Kees Cook |
None: status |
Confirmed |
Won't Fix |
|
| 2008-09-09 23:51:56 |
Kees Cook |
None: statusexplanation |
|
I'm closing this bug as "won't fix". The default for home directory permissions is intentional. To change this default, adjust /etc/adduser.conf's DIR_MODE setting. |
|
| 2009-03-12 18:20:56 |
Kees Cook |
None: assignee |
kees |
|
|
| 2009-03-12 18:20:56 |
Kees Cook |
None: statusexplanation |
I'm closing this bug as "won't fix". The default for home directory permissions is intentional. To change this default, adjust /etc/adduser.conf's DIR_MODE setting. |
https://wiki.ubuntu.com/DebuggingSecurity#Permissive%20Home%20Directory%20Permissions |
|
| 2009-05-15 16:36:46 |
Julian Alarcon |
marked as duplicate |
|
48734 |
|
| 2010-03-14 18:26:48 |
Luke Faraone |
security vulnerability |
yes |
no |
|
