Home permissions too open

Bug #48734 reported by DanielT on 2006-06-06
120
This bug affects 20 people
Affects Status Importance Assigned to Milestone
Ubuntu RTM
Undecided
Unassigned
adduser (Ubuntu)
Medium
Unassigned
Nominated for Karmic by wreckedcarzz
Nominated for Lucid by wreckedcarzz

Bug Description

Binary package hint: debian-installer

On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system.

Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess?

Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting.

Colin Watson (cjwatson) wrote :

This is done by adduser, actually, not by any installer component. In expert mode I believe you should get a prompt about it.

However, I do maintain that the default is correct. On most multi-user systems, there is some level of cooperation (if not trust) among the users - they'll be members of the same family, or friends, or co-workers, or whatever - and it is useful for them to be able to share files reasonably conveniently (e-mail is an awful solution to this). It's easier to create a private directory for the things you don't want to be public than it is to figure out how to open up your home directory so that just a few things can be read. (I use quite a lot of multi-user Unix systems on a regular basis, both at work and among my family and friends, and it's far more common for me to want things accessible to other users than it is for me to want them to be inaccessible.)

There are certainly systems where this is not appropriate (large multi-user systems where you pay for a shell account), but they are generally run by competent system administrators who know how to lock things down.

For permissions on new files created by touch et al, set 'umask 077' in your shell startup files if you want them to be mode 600 by default.

Changed in debian-installer:
status: Unconfirmed → Rejected
Colin Watson (cjwatson) wrote :

By the way, to change the default for new users on an existing system, change DIR_MODE in /etc/adduser.conf.

kko (kko) wrote :

Thank you for the very clear explanation of Ubuntu's policy on the home directory permissions issue.

A special thanks for the DIR_MODE -tip - every day you learn something new. ;-)

unggnu (unggnu) wrote :

Why not ask in the installer while the password and user name is set if the directory should be readable or not? One line with a checkbox and an explanation would be enough. After installation the gnome user manager should ask the same question if a new user is added. Everyone who uses console tools will know what to do I guess so there is no priority for it.
I guess the only point of discussion is the default configuration. For me there is no problem if it is enabled per default when there is a configuration line in the installer/user configuration.

unggnu (unggnu) wrote :

Another interesting point is that Ubuntu has a guest session which works great but interestingly the user from which the guest session is initiated returns with a locked screen which seems to be a security feature. But it is still possible for the guest to access most of the data in the home user directory because of this bug except of some ssh and gpg things.

I really think that it is better to just create a shared folder which is shown on the desktop and places instead of opening the home directory wide. This also wouldn't need installer interaction and should be easily understandable because Windows practices this at least since XP.

unggnu (unggnu) wrote :

Maybe it wasn't clear.
A non expert Ubuntu user has tested the guest mode and find out that his screen is locked afterwards and he could come to the impression that this is safe. Especially since he heart Linux is much more secure than Windows and so on.
So if he has to leave he just switch to guest mode to let a friend, sister, flat share or whoever use his computer in his absence thinking that his personal stuff is safe.
So with this default configuration everything depends on the permission setting of each app. Firefox seems to set restrictive permissions but many other apps not. And even if the settings are safe the standard Ubuntu directories for pictures, documents and so on aren't.

If there really is a need for sharing files between users a standard shared folder would work around the problem.
Btw. every experienced user knows how to change the home directory to make it less restrictive so it wouldn't bother them but it would be more secure for every one.

"On most multi-user systems, there is some level of cooperation (if not trust) among the users - they'll be members of the same family, or friends, or co-workers, or whatever"

I don't think you can rightly make that assumption. Even if it is true in most cases, it is better for people to opt in to sharing files than to have to opt out of it.

"and it is useful for them to be able to share files reasonably conveniently (e-mail is an awful solution to this). It's easier to create a private directory for the things you don't want to be public than it is to figure out how to open up your home directory so that just a few things can be read."

How about just creating a shared directory, then?

644 is pretty useless for sharing (for example, if I want to share a music collection with my whole family, they cannot right to my music collection, and I cannot write to theirs, so we would have to do a lot of duplicate checking or have only one person add songs, which would be ridiculously cumbersome).

/home/username would be 600 by default

/home/shared would be 660 or 666 by default

What's wrong with that scenario?

I'm afraid we'll have to agree to disagree on this one. I firmly believe
that if people have to opt in to being able to share files with each
other then they simply won't do it, or will use absurd,
expensive-for-the-Internet workarounds (like e-mailing files to each
other). Most people don't lock their desks up by default either, only if
they have a clear reason to do so. The knob is there for people to tweak
and I honestly am not interested in discussing it beyond that at the
level of the installer. I recommend opening a separate bug to make it
easier to configure this sort of thing at the desktop level.

Somebody should probably also open a separate bug to have the apparmor
configuration for the guest session a bit stricter.

unggnu (unggnu) wrote :

A simple shared folder with an link on every user desktop would make everyone happy but ...

Colin Watson (cjwatson) wrote :

On Sat, Aug 01, 2009 at 07:11:04AM -0000, unggnu wrote:
> A simple shared folder with an link on every user desktop would make
> everyone happy but ...

... but that's a desktop decision, not something adduser should be
doing. (And it would make me unhappy personally because it would be
noise on the desktop, which is otherwise clean by default; I believe
that that is an explicit Ubuntu desktop design decision.)

unggnu (unggnu) wrote :

No problem at all since it could be stored under Places which makes more sense anyway.

If there is a shared folder there is no need to keep the permissions as open anymore imho.

flaccid (chris-xhost) wrote :

Whatever solution is decided upon, as long as home dirs via adduser etc. are NOT world readable then its ok.
We should also be educating users instead of getting them into bad habits such as sharing home directories - you won't see any decent administrator set this up on a LAN's LDAP or similar.

The basic concept is this: A user has a password, which suggests that a user's resources are protected by this password. Currently this is not the case due to the wrong mentality and current policy in Ubuntu.

I've pointed out to dozens of users that 'hey did you know anyone can read your home folder?'. They are inheritantly shocked when they check my accusation, and a lot reply with 'Gee, Windows is even more secure than this'.

So whats next? IMHO, we should be looking at how other operating systems current share files between local users - check OS X, MS Windows, other distros/*nix etc. Personally I think one of the management options is the DE to provide a tool to share a folder - and hey lets not forget that in Gnome and KDE users can already click a folder and goto its permission's and easily change who can read it. Ideally I think that that every user should know the basics to UNIX/Posix FS permissions also.

Carroarmato0 (carroarmato0) wrote :

How about locking down users folders to them selves and use Samba to deal with the shares? User's have a graphical tool anyway to easily configure the sharing options of Samba. Maybe this could be a valid agreement? Though this would involve either adding Samba on the installation Cd or postpone installation after the system has been installed or on request of the user.

flaccid (chris-xhost) wrote :

@Carroarmato0
Samba server in Ubuntu is not installed or enabled by default. This is also networking sharing, not simple local sharing via UNIX perms. Although Ubuntu lacks a real implementation of Samba that is a transparent config to the user, a network sharing filesystem is not really applicable here. A frontend that allows a user to share a folder in their homedir that is initially forbidden, is really what we need; its already there in the DEs as I mentioned, but not transparent to the user.

It is the responsibility of the DE and/or distro to provide a facility for a newbie-level user to easily allow sharing of a private folder.

David Henningsson (diwic) wrote :

Actually in my home folder in my default Karmic installation, there is a folder named "Publikt" (that'd probably be "public" or "shared" in English), tricking me into believing that everything else is not public - if it was, why would there be a "Publikt" folder in my home directory?

Since it seems to be hard to reach consensus here, could we consider a checkbox in the default installation, something like "Make your home directory readable to all users", somewhere around "encrypt your home directory"?

Olli (olli-kinnunen) wrote :

Incredible !
This bug thread has existed almost 4 years now (with some side threads) and there is no decision that the described behaviour of /home is absolutely not acceptable.

For a "normal" user, everything which is behind my own password, is absolutely mine and only mine.

Somebody says (in some thread) that this is wellknown and accepted behaviour. It may be wellknown for you as "linux-pros", but it is not known and accepted by the major share of the users. Users who are new to linux, to whom every "old" linux tutor says that linux is absolutely safe to use.

An OS is not safe if someone else can (so easily) read my diary, my last will draft, my financial situation etc. etc., anything which is absolutely mine only.

My suggestion is that this behaviour is closed immediately in all existing versions, furthermore instructions are distributed on the Ubuntu web pages how to prevent the usage of the BUG.

The wiki link:
https://wiki.ubuntu.com/DebuggingSecurity#Permissive%20Home%20Directory%20Permissions
is not enough, people do not read thousands of pages just for fun.

The content of that page raises a dejavue-feeling:

"No, it is not a bug, it is a feature"

Mark Shuttleworth (sabdfl) wrote :

Olli, I appreciate that you would like the matter to be handled
differently, but a decision has been taken. Every decision can be
changed, but it will only be changed if the facts or circumstances or
arguments changed. Showing up, talking loudly, but adding nothing other
than a strong statement of your preferences is not going to change it.

Mark

Olli (olli-kinnunen) wrote :

Mark,

"a decision" ?

I am sorry but I cannot see any ?

And that is why I wanted to raise the flag.

CalderCoalson (ccoal) wrote :

First, I was quite surprised to see a response from you yourself, Mark, and
appreciate your direct involvement. Second, while Olli's response was
rather incensed, it is representative of many people's reactions when they
discover this feature. I'm sure there are very good reasons this choice
persists, but it helps people to know what they are. If you could briefly
elaborate on the "facts or circumstances or arguments" that have lead to
this decision people would no longer feel they are
being unreasonably ignored, and thereby reduce the need for electronic
voice-raising.

On a final note, it's worth noting that this does qualify as a "security
bug" by the definition on the wiki:
"accessing information that should be blocked. For example, a user on the
system being able to view or modify private files of another user. ("Loss of
Privacy")"

On Thu, Mar 11, 2010 at 10:07 AM, Mark Shuttleworth <email address hidden>
wrote:
>
> Olli, I appreciate that you would like the matter to be handled
> differently, but a decision has been taken. Every decision can be
> changed, but it will only be changed if the facts or circumstances or
> arguments changed. Showing up, talking loudly, but adding nothing other
> than a strong statement of your preferences is not going to change it.
>
> Mark
>
> --
> Home permissions too open
> https://bugs.launchpad.net/bugs/48734
> You received this bug notification because you are a direct subscriber
> of a duplicate bug.
>
> Status in “adduser” package in Ubuntu: Invalid
>
> Bug description:
> Binary package hint: debian-installer
>
> On a fresh dapper install i noticed that the file permissons for the home
directory for the user created by the installer is set to 755, giving read
access to everyone on the system.
>
> Surely this is a bad idea? If your set on the idea can we atleast have a
option during the boot proccess?
>
> Also new files that are created via the console ('touch' etc.) are done so
with '644' permissons, is there anything that can be done here? nautlius
seems to create files at '600', which is a better setting.
>
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscribe

Colin Watson (cjwatson) wrote :

I believe that the previous comments from me on this bug were quite well-thought-out and explanatory. I certainly made an effort to give a clear explanation of why I believe this to be the correct default rather than just saying "no", and I also noted ways in which I think this could be improved at the desktop UI level.

Mark Shuttleworth (sabdfl) wrote :

The majority of users of Ubuntu systems either have exclusive use of the
machine (personal laptop) or are sharing with friends and relatives. We
assume that the people who share the machine are either trusted, or in a
position to hack the machine (boot from USB!) trivially. As a result,
there is little to no benefit from the permissions you propose.

Now, in a more complex environment, like a university machine with many
users, people do not have access to the hardware and can't easily root
the box, but they also have the sysadmin skills to change the default
permission.

Ergo, we stick with the permission as they stand today.

Mark

flaccid (chris-xhost) wrote :

@Mark Shuttleworth

I don't know where to start with your flaws, but I'll at least flag a few + relevant points.

1. A majority != all
2. The wiki confirms that this is a security bug
3
. People store their mail in the home directory (this is only 1 example). You can then own the user or get the information you need etc. Identity theft is huge and this is only one of the consequences
4. Linux for human beings? We like privacy. Sharing with friends or relatives.. Believe it or not, most friends and relatives like to keep their personal information private, I'm sure you do too
5. You say the word 'assume'. Why would you ever assume trust? Security Engineers are paid to prevent such assumptions
6. Sure you can circumvent via USB boot, but in Ubuntu you can use an encrypted FS or encrypt folders to negate this if you want to
7. Ubuntu is being used in Universities, schools, organisations etc. Wasn't this an objective of Ubuntu - to gain market share/use/awareness in any environment? Are you really ignorant to think that Ubuntu is only being used at home?
8. Real unix/posix operating systems don't make home dirs public. A lot of admins won't even think about checking the perms as a result. We get totally shocked when we first find this out, and obviously a lot have already been bitten.

One only has to look at competitors such as OS X to see that sharing features/frontends have been placed in the Desktop Environment to allow users to easily share files within sub-folders of their home.
You may be suprised, but I have never heard anyone complain that this is hard for an inexperience user to do.

CalderCoalson (ccoal) wrote :

Without getting all worked up here, flaccid does raise one very good point.
 The Mac OS X system works beautifully; that is making everything locked by
default except for a folder explicitly labeled "Public" containing a "Drop
Box" for file transfer to the user. This approach respects both
perspectives, making it extremely easy to share what you want while still
respecting privacy and security by default.

On Thu, Mar 11, 2010 at 9:44 PM, flaccid <email address hidden> wrote:

> @Mark Shuttleworth
>
> I don't know where to start with your flaws, but I'll at least flag a
> few + relevant points.
>
> 1. A majority != all
> 2. The wiki confirms that this is a security bug
> 3. People store their mail in the home directory (this is only 1 example).
> You can then own the user or get the information you need etc. Identity
> theft is huge and this is only one of the consequences
> 4. Linux for human beings? We like privacy. Sharing with friends or
> relatives.. Believe it or not, most friends and relatives like to keep their
> personal information private, I'm sure you do too
> 5. You say the word 'assume'. Why would you ever assume trust? Security
> Engineers are paid to prevent such assumptions
> 6. Sure you can circumvent via USB boot, but in Ubuntu you can use an
> encrypted FS or encrypt folders to negate this if you want to
> 7. Ubuntu is being used in Universities, schools, organisations etc. Wasn't
> this an objective of Ubuntu - to gain market share/use/awareness in any
> environment? Are you really ignorant to think that Ubuntu is only being used
> at home?
> 8. Real unix/posix operating systems don't make home dirs public. A lot of
> admins won't even think about checking the perms as a result. We get totally
> shocked when we first find this out, and obviously a lot have already been
> bitten.
>
> One only has to look at competitors such as OS X to see that sharing
> features/frontends have been placed in the Desktop Environment to allow
> users to easily share files within sub-folders of their home.
> You may be suprised, but I have never heard anyone complain that this is
> hard for an inexperience user to do.
>
> --
> Home permissions too open
> https://bugs.launchpad.net/bugs/48734
> You received this bug notification because you are a direct subscriber
> of a duplicate bug.
>
> Status in “adduser” package in Ubuntu: Invalid
>
> Bug description:
> Binary package hint: debian-installer
>
> On a fresh dapper install i noticed that the file permissons for the home
> directory for the user created by the installer is set to 755, giving read
> access to everyone on the system.
>
> Surely this is a bad idea? If your set on the idea can we atleast have a
> option during the boot proccess?
>
> Also new files that are created via the console ('touch' etc.) are done so
> with '644' permissons, is there anything that can be done here? nautlius
> seems to create files at '600', which is a better setting.
>
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscribe
>

Marc Deslauriers (mdeslaur) wrote :

I think you guys should take a look at the permissions on your OS X home directory, you'll be surprised :)

Our security team FAQ has instructions on changing the default behavior for home directories:
https://wiki.ubuntu.com/SecurityTeam/Policies#Permissive%20Home%20Directory%20Access

That being said, applications should already be storing private data in your home directory with restrictive permissions. If you spot an application that stores private data such as email or browser history with inadequate permissions, please file bugs.

Our official solution to keeping user data private is to use home directory encryption by checking the "Require my password to log in and to decrypt my home folder" option during installation.

unggnu (unggnu) wrote :

I also think that one public directory like Windows or maybe even MacOsX have per default would be the best compromise. I mean this could be created in the home directory and a link added to every new user desktop like in case of the example folder.
With this sharing is even easier than with the current situation and others get their privacy.

Of course changing permissions is easy to evade through booting a live environment but we are not talking about professionals. I mean basically every security system could be breached but the effort and expectation is important I think.

For example afaik if a user logs in with an encrypted home directory it could be accessed from everyone as long as the user is logged in which is possible through user switching. In this case the directory permission would also help to protect the files.
Even if it would be not the case someone could boot a live environment and install a keylogger or similar.

CalderCoalson (ccoal) wrote :

Encryption also adds significant overhead to file read / writes which people
on slower computers can't really afford. As for booting from a USB drive,
there's a huge difference between a family member (if we're assuming that
usage scenario) doing a computer wide search and turning up a private email
or diary entry or something, and someone maliciously booting off a USB-drive
expressly to gain access to your files. Finally, if you're already offering
a psuedo-fix option during the installation process, why not add a real
check box that says
"Allow all users view the contents of my home directory."

I think you'd be surprised by how many people uncheck that.

Marc Deslauriers (mdeslaur) wrote :

If you restrict permissions on the home directory, it isn't possible to have a folder _inside_ that is accessible by other users. This is the way Unix permissions work. This is why the home folder is readable by other users by default on OS X, so the "Shared" folder is accessible.

CalderCoalson (ccoal) wrote :

I think that's what we're agreeing Ubuntu should do as well, with two
changes to make it more Mac OS X-like. First, the default folders (with the
exception of Public) should be locked to all other users. Second, any new
folders that get created should also be locked to all other users. Mac OS X
doesn't even need the second restriction because it stores the mad
proliferation of application data in ~/Library rather than ~/.appnamehere,
but I can't think of any instance in which one user needs to access another
users's application data.

Marc Deslauriers (mdeslaur) wrote :

The ~/.appnamehere folders should already have restrictive permissions set by the applications. For example, ~/.mozilla is 700. If you use an application that doesn't set sane permissions for private data, please file a bug.

Any new folder you create in your home directory in OS X is automatically shared to other people, as the default umask on OS X is the same as Ubuntu.

What other folders do you want restricted by default? Documents, Music, Pictures, Videos? It seems to me those _are_ the folders you would want to share...

Should we create a "Private" directory by default with restrictive permissions?

JeSTeR7 (cblocker) wrote :

Creating a "Private Directory" by default would at least hint to the user that the other directories are not, in fact, private.

CalderCoalson (ccoal) wrote :

That's a start, but a Public would make so much more sense. Then when you
want to share something you do that, but you don't have to separate the
organization of your documents and other personal files by whether they're
"private" or not. Would it really be too hard to add a checkbox for this so
people could choose for themselves? If you collected the data on who choses
what, I would be willing to bet even if it weren't default at least 50% of
people would choose to protect their home directories.

As an aside, the ~/.appname being private is by no means standard or
default. In fact, most of them are public. A short list:
.bluej
.codeblocks
.config
.dia
.evolution
.fontconfig
.freemind
.gimp
.gstreamer
.gtk-bookmarks
.hardinfo
.icons
.java
.kde
.nautilus
.openoffice.org
.subversion
.svnqt
.texmf-var
.themes
.update-manager-core
.wapi
.wine
And that's just on my system...

On a semi-related note, is there any actual reason why Linux defaults to
cluttering home directories with invisible files? Mac OS X's system of
storing everything in a Library folder again seems far more intelligent, as
we could avoid this whole problem by locking the ~/Library folder as Mac OS
X does.

unggnu (unggnu) wrote :

@Marc Deslauriers
I meant creating the public folder in the global home directory "/home" not the user home directory.

And if a link on the desktop is against the gui guidelines just add one under "Places" or in the user home directory.

David Henningsson (diwic) wrote :

@CalderCoalson: Long story short, cluttering home directories with invisible files is part of the FHS standard. There is also a freedesktop standard that dictates that configuration should be put in a subdirectory under ~/.config/. My personal preference is for the latter.
And the .config directory is 755 (i e not locked up for other users)...

As a side note, does anybody know how other distributions deal with this issue? My guess is that almost everyone else locks it up by default, but I don't know for sure. And that in turn leads to upstreams assuming that, and therefore not caring about what permissions they put on their invisible files.

Mark Knowles (markknowles) wrote :

This is a shocker.

This is yet another example of Ubuntu not taking security seriously. This is not a problem on RedHat or Fedora.

And this issue exists on the server edition as well! Reading each other's files by default is _not_ cool. I can't believe how long I've been running with such an insecure configuration.

flaccid (chris-xhost) wrote :

After some of the comments I did look at some other *nix OS and distros and observed that quite a few do have open home directories too by default. There are however quite a few that apply protection.

It is just a question of which category Ubuntu wants to be in. At this point, it looks like the former which is a shame.

Microsoft Windows even protects user's files by default. IMHO, if we want to remain mediocre and not add protection, then we could at least provide an informative dialog in the installer or create user GUI to advise that the created user has a world readable home.

No opt-in to 'sharing' as its been called is plain ridiculous. With servers, sysadmins are responsible in this area, but this is Ubuntu - linux for human beings, on the desktop.

emarkay (mrk) wrote :

Wow even the SABDFL chimed in, but...

Correct me if I am wrong, as I have not spent hours studying this.

My "home" directory is accessible to me, as I am logged in.
It is NOT accessible to anyone else logged into my PC with their password.
It is NOT accessible by anyone on a network, or online (a large network).

If the above is not true, this will open up an unfun can of worms for the Diggers and Redditers, as well as a bunch of other places.

Clarification on this, please, ASAP.

flaccid (chris-xhost) wrote :

@emarkay
Thats explained above if you read the history.
The simple answer is yes, any system user can read anything in /home/*

I did notice that what people are saying is correct... it is like this with many other distros and OS.
But, imho, this shouldn't mean that Ubuntu does the same.

Do we want to be a leader or a follower?
Ubuntu - Linux for human beings.
Well, humans like privacy.

Olaf van der Spek (olafvdspek) wrote :

@Colin, Mark: What about Principle of least privilege? Safe-by-default?
Why does user www-data (for example) have access to my files?

The defaults provide access to way more than other humans. You might at least want to use ACLs to limit it to other humans by default.

It should be clear by now that some users expect a private home dir. Why not provide an easy way to switch from private to public?

Olaf van der Spek (olafvdspek) wrote :

Somebody?
Implementing a public dir for easy sharing can IMO be easily done with defaulting to a world readable home dir.

Olaf van der Spek (olafvdspek) wrote :

Sorry, that should read: "without defaulting to a world readable home dir."

Changed in adduser (Ubuntu):
status: Invalid → New
Changed in adduser (Ubuntu):
status: New → Opinion
Olaf van der Spek (olafvdspek) wrote :

> status: New → Opinion

That's silly, could someone at least respond to the arguments so we can have a proper discussion?

Changed in adduser (Ubuntu):
status: Opinion → New
Colin Watson (cjwatson) wrote :

There are lots of responses to the arguments in this bug log; the disagreements are essentially ideological. Opinion seems like the ideal bug status.

Changed in adduser (Ubuntu):
status: New → Opinion
Olaf van der Spek (olafvdspek) wrote :

A response to #38 and #39 is still missing.

Changed in adduser (Ubuntu):
status: Opinion → New
Clint Byrum (clint-fewbar) wrote :

Olaf, the point of the Opinion status is to allow discussion to continue without attracting the attention of triagers who are trying to categorize and/or reproduce issues in the New status.

So, to that point, the status should remain at Opinion until consensus is reached, at which point it should move to status Confirmed, or Invalid, but it should not return to New.

To that point, we should probably consider any bugs that are in the Opinion status and have received a lot of discussion for UDS sessions.

Changed in adduser (Ubuntu):
status: New → Opinion
Olaf van der Spek (olafvdspek) wrote :

Ah, I assumed Opinion meant Wontfix. It'd still be nice if someone responded to the arguments.

Søren (p-sl) wrote :

I was horrified to find my home dir open, and Googled this post.

I simply can't believe the rationale - okay, we are geeks using Linux wearing tinfoil hats but please: you are going to sacrifice security for the sake of ... I don't exactly know how to put it... a badly implemented sharing feature, perhaps?

Running a webserver, I found out that if someone somehow manages to get shell access with the very limited webserver user, which runs silly rbash (restricted bash), they will have access to ALL users home dirs - also administrators.
But of course, then they will be pleased to see, how easy filesharing is on Ubuntu.

There must be a more intelligent solution to this security issue.

Alexander Adam (7ql6) wrote :
Download full text (3.2 KiB)

Sorry but the decision still doesn't make any sense to me.
I have to change the default permissions on every installation which is indeed *not* usability friendly.

Besides that the public-dir would be perfect for this (wouldn't it be possible to symlink public to a directory outside of users home and so leave it accessible for everyone?): I never ever intenionally shared files between home-dirs.
Addionally I have to add that I even talked with many colleagues and friends for this "feature" and (surprise surprise) they also don't use this "feature".

But many people doesn't know that a default ubuntu-installation behaves like this. And this is the real danger.
If you want a proof you can find many more people in the web who where negative surprised (besides the ones in this bug-ticket).
Wether in ubuntu forums, askubuntu.com, blogs or here on launchpad: obviously no one is expecting that.

And even IF Colin Watson amazingly really have more cases with public read access than private access then it should be at least decidable by the user (as mentioned by himself in #8). And I don't mean by /etc/adduser.conf but in the GUI (ie an checkbox in usermanagement wether the home-dir should be readable and/or a checkbox on the installer).

Furthermore like David Henningsson already said: if you have even a public dir wouldn't it be intuitive to expect that the other directories and files aren't public?

I totally agree with aysiu what the defaults should like and I also think like flaccid that even IF somewant WANTS to share his home-dir it is the worst idea to share files. There are thousands of possibilities but sharing the whole home directory should be the default?

Marc Deslauriers even if every tool which stores the permissions correct: as long as the user doesn't knows that his files are visible it is still an terrible issue - isn't it? If the user manages his files which leads to unintentinally public data there is definitely a need to improve something.

It was a phantastic step to offer simple solutions for encrypting the whole disk, home- or private-dir. But even if I have a fresh installation with an encrypted disk and I prohibited booting from usb or networking there could be a case like this:
I am booting the system (type the passphrase) and leaving the room for a moment than someone could login to the (default-activated?) guest login and steal my data. In this case the attacker needs nearly nothing for getting everything.
And even in "smaller" circles when family members share accounts on one computer they mostly expect their home dir is their little home - including a little amount of privacy.

And to complete the analogy in "real life". See the home-dir like a real home with your own room. Inner-flat doors are often lockable even if you know that these locks give just a low-level-security.

For a project which claims to listen to their customers: with all due respect but nobody seems to really listen here (or on ubuntu forums, askubuntu, …) while they are good reasons mentioned for a meaningful revision.

So Mark Shuttleworth: No facts or circumstances changed, because there are still many people who think that the default is wrong, b...

Read more...

Marcus Haslam (marcus-haslam) wrote :
Download full text (4.5 KiB)

I will be out of the office until 9th January, in my absense please contact Nick Tait

On 14 Nov 2012, at 23:03, Alexander Adam <email address hidden> wrote:

> Sorry but the decision still doesn't make any sense to me.
> I have to change the default permissions on every installation which is indeed *not* usability friendly.
>
> Besides that the public-dir would be perfect for this (wouldn't it be possible to symlink public to a directory outside of users home and so leave it accessible for everyone?): I never ever intenionally shared files between home-dirs.
> Addionally I have to add that I even talked with many colleagues and friends for this "feature" and (surprise surprise) they also don't use this "feature".
>
> But many people doesn't know that a default ubuntu-installation behaves like this. And this is the real danger.
> If you want a proof you can find many more people in the web who where negative surprised (besides the ones in this bug-ticket).
> Wether in ubuntu forums, askubuntu.com, blogs or here on launchpad: obviously no one is expecting that.
>
> And even IF Colin Watson amazingly really have more cases with public
> read access than private access then it should be at least decidable by
> the user (as mentioned by himself in #8). And I don't mean by
> /etc/adduser.conf but in the GUI (ie an checkbox in usermanagement
> wether the home-dir should be readable and/or a checkbox on the
> installer).
>
> Furthermore like David Henningsson already said: if you have even a
> public dir wouldn't it be intuitive to expect that the other directories
> and files aren't public?
>
> I totally agree with aysiu what the defaults should like and I also
> think like flaccid that even IF somewant WANTS to share his home-dir it
> is the worst idea to share files. There are thousands of possibilities
> but sharing the whole home directory should be the default?
>
> Marc Deslauriers even if every tool which stores the permissions
> correct: as long as the user doesn't knows that his files are visible it
> is still an terrible issue - isn't it? If the user manages his files
> which leads to unintentinally public data there is definitely a need to
> improve something.
>
> It was a phantastic step to offer simple solutions for encrypting the whole disk, home- or private-dir. But even if I have a fresh installation with an encrypted disk and I prohibited booting from usb or networking there could be a case like this:
> I am booting the system (type the passphrase) and leaving the room for a moment than someone could login to the (default-activated?) guest login and steal my data. In this case the attacker needs nearly nothing for getting everything.
> And even in "smaller" circles when family members share accounts on one computer they mostly expect their home dir is their little home - including a little amount of privacy.
>
> And to complete the analogy in "real life". See the home-dir like a real
> home with your own room. Inner-flat doors are often lockable even if you
> know that these locks give just a low-level-security.
>
> For a project which claims to listen to their customers: with all due
> respect but nobody seems to reall...

Read more...

Alexander Adam (7ql6) wrote :

I just wanted to add that I was wrong with the default guest login. The default guest login is *not* able to view others home-directories (the other points I mentioned are unfortunately still right).

Bruno Nova (brunonova) wrote :

I think the current permissions are not perfect.

On one hand, I understand that locking down the home folder (700 permissions) would create some problems.
Samba wouldn't be able to share any folder inside ~/ to other users (especially guest users), Apache wouldn't be able to access ~/public_html (if using Apache userdir module), users would have difficulty sharing files and folders to others and be confused, etc.

On the other hand, this is a privacy/security issue. Most people think that their home folders are private.
At least the guest session cannot access /home, and encrypted home folders are private, so it's not completely terrible.

In my humble opinion, the home folder should remain open (755 permissions), but all default folders and files inside (including ~/.config, ~/.local, etc.) should be made private (700 permissions) by default, except ~/Public.
Users can then change the permissions to share something, or move the files to ~/Public.
The file manager could also warn the user, in the permissions tab, when a file/folder, according to its permissions, should be accessible by others/group, but isn't because the parent folders are not accessible (fixing some confusion).
This would probably mean patching xdg-user-dirs-update and other stuff.

If not, the users should at least be warned that everyone can access their home folders.
This could be achieved by adding an information/warning balloon/tip to the file manager when it's in the home folder (like Nautilus does in ~/Templates), and if it's world readable (but allow the warning to be dismissed).
The warning could also be added to the "encrypt home folder" option during the installation: if it's not selected, warn the user that the home folder will be accessible by other users.

As a side note, it would be awesome if the file manager could show and manage ACLs (and setuid, setgid and sticky bits) out of the box, like KDE's Dolphin does. This would make sharing files with a specific user even easier.
"eiciel" adds ACL support to Nautilus, but it's not installed by default.

This needs to be reconsidered. All user comments in this thread refuse the official explanation given in comment #1

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers