Incorrect permissions (home directories)

Bug #67128 reported by Boris Kolar on 2006-10-20
12
Affects Status Importance Assigned to Milestone
adduser (Ubuntu)
Undecided
Unassigned

Bug Description

(applies to all versions of Ubuntu, including 6.10-rc)

The home directory of default user created by installer (and probably users created by user configuration GUI too, i use server edition so I'm not sure) has permissions 755, which means that other users can browse default user home directory. Permissions for home directories should be set to 0700.

Some of you may not agree it's a bug, but no matter how you call it, it must be fixed. Such behaviour violates several principles of good design:
- security by default (no action or special knowledge should be required to have secure system after installation)
- principle of least privilege (ability to browse other home directories is rarely required, so it should not be enabled by default)
- principle of least surprise (things should work as expected and ability of others to browse my home directory is not what I would expect if I was novice user)

Recommendation: make more sensible 0700 permissions as default for 6.10 release. It should be an easy fix.

towsonu2003 (towsonu2003) wrote :

thanks for your bug report. which installation medium did you use? liveCd or alternative cD?

towsonu2003 wrote:
> thanks for your bug report. which installation medium did you use?
> liveCd or alternative cD?
ubuntu-6.10-rc-server-i386.iso
(I'm pretty sure there's a problem with 6.06 desktop edition as well)

towsonu2003 (towsonu2003) wrote :

thanks. I tried to assign it to the correct package to the best of my knowledge. [opinion ahead:] I agree that one's home folder should be rwX for the user only.

Colin Watson (cjwatson) wrote :

This has come up a number of times before and has been repeatedly rejected for good reasons which I won't go into here because I do not want to have the argument in this bug report; I have posted on Ubuntu mailing lists on the subject before, if you want to dig up those posts. If you disagree with the default (which you're entitled to do), then boot the installer with adduser/homedir-permission=false on the kernel command line, or use expert mode where that question should be asked.

Changed in debian-installer:
status: Unconfirmed → Rejected

I suggest this bug be reopened and that developers think this through instead of using a black/white approach. Just look at Mac OS X for a more sensible default (home directories are private by default, but have a public folder for sharing files and even a dropbox).

It is little things like this that make Ubuntu less usable for normal home users. My experience also tells me that I will get major insults thrown at me if I do not fix this bug myself after installation (people want their files to be private by default).

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers