Ubuntu
adduser package

Default permissions(0755 / umask=0022) allow other users to access files behind a password protected user account after login

Bug #1829624 reported by Chris Rainey on 2019-05-18

This bug report is a duplicate of: Bug #48734: Home permissions too open. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	adduser (Ubuntu)	New	Undecided	Unassigned

Bug Description

By default, Ubuntu Desktop installs new user accounts(adduser or GUI) with "other=r-x" or "0755" permissions.

This defeats the, at least casual, protections afforded by having separate and password protected login accounts from other users on the local system. Users migrating from other platforms(Windows or macOS) have an expectation of privacy in their accounts due to Windows and macOS, for example, having protections on their $HOME dirs to prevent the casual snooping or otherwise more mischievous actions of other $USER's on the local system.

With the largest potential pool of migrations being from one of the above alternative operating systems, the Ubuntu(Linux for Humans) desktop installer and adduser.conf file should honor that expectation or at least make it an "Opt-Out" instead of an "Opt-In" requirement.

What is the point, other than the FSF Hierarchy, for having a "Public"(0755) folder in each $USER $HOME, if any other user can (r)ead or (x)traverse the entire $HOME by default?

If any of my customers discover this on older systems that I have installed or if I forget to set the $HOME DIR_MODE=0750 as a custom edit in the /etc/adduser.conf file on all new installs--it could greatly jeopardize my security reputation and that of Ubuntu's!

Use cases for 0755 on Ubuntu Server are not my concern, just Desktop.

Additionally, I routinely disable the "boot to USB" or other devices in the BIOS and passwd protect those settings from tampering with an Admin passwd in said BIOS. Very few PC's in the last decade lack this level of BIOS configurability.

I also install all new Ubuntu Desktop's using LUKS+LVM for the entire local disk(s) system.

ProblemType: Bug
DistroRelease: Ubuntu 19.04
Package: adduser 3.118ubuntu1
ProcVersionSignature: Ubuntu 5.0.0-15.16-generic 5.0.6
Uname: Linux 5.0.0-15-generic x86_64
ApportVersion: 2.20.10-0ubuntu27
Architecture: amd64
Date: Sat May 18 12:45:38 2019
InstallationDate: Installed on 2018-11-23 (175 days ago)
InstallationMedia: Ubuntu 18.10 "Cosmic Cuttlefish" - Release amd64 (20181017.3)
PackageArchitecture: all
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: adduser
UpgradeStatus: Upgraded to disco on 2019-04-20 (28 days ago)

See original description

Tags:

Revision history for this message

Chris Rainey (ckrzen) wrote on 2019-05-18:

Dependencies.txt Edit (1.3 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.3 KiB, text/plain; charset="utf-8")

description:

updated

Chris Rainey (ckrzen) on 2019-05-18

description:

updated

Chris Rainey (ckrzen) on 2019-05-20

information type:

Private Security → Public

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #48734 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuadduser package