security problems with incorrect permissions for ubuntu 17.10

Bug #1735929 reported by User2233 on 2017-12-02
268
This bug affects 3 people
Affects Status Importance Assigned to Milestone
dconf
Fix Released
Medium
gnome-session
Fix Released
Medium
d-conf (Ubuntu)
High
Sebastien Bacher
Bionic
High
Sebastien Bacher
dconf (Ubuntu)
High
Unassigned
gnome-session (Ubuntu)
High
Sebastien Bacher
Bionic
High
Sebastien Bacher
session-migration (Ubuntu)
High
Didier Roche
Bionic
High
Didier Roche
xorg-server (Ubuntu)
High
Marc Deslauriers
Bionic
High
Marc Deslauriers

Bug Description

The release of Ubuntu you are using (lsb_release -rd):
Description: Ubuntu 17.10
Release: 17.10

This is a fresh installation of Ubuntu 17.10 from the mini.iso.
I select only default options + [Ubuntu Desktop] installation.

What you expected to happen:
My home folder contains the following folders with correct and safe permissions after the first login:
drwx------ 11 user user 4096 Dec 2 17:40 .config
drwx------ 3 user user 4096 Dec 2 17:39 .local

What happened instead:
I received these folders after the first login:
drwxr-xr-x 11 user user 4096 Dec 2 17:40 .config
drwxr-xr-x 3 user user 4096 Dec 2 17:39 .local
It is not safe. Any user can access to my .config folders and read for example my mail databases

I'm trying to create a new user...:
sudo useradd -m user2
sudo passwd user2
... and login then.
It has the same problem:
drwxr-xr-x 10 user2 user2 4096 Dec 2 19:44 .config
drwxr-xr-x 3 user2 user2 4096 Dec 2 19:44 .local

Seth Arnold (seth-arnold) wrote :

Hell User2233, this is an intentional design choice to enable users to share with each other. If this isn't appropriate for your environment you can modify the DIR_MODE variable in /etc/adduser.conf to set the permissions as desired.

https://help.ubuntu.com/lts/serverguide/user-management.html#user-profile-security

Thanks for reporting this issue, don't hesitate to report future issues.

information type: Private Security → Public Security
Changed in ubuntu:
status: New → Won't Fix
User2233 (snql-by) wrote :

Hello Seth, thank you for your answer.
It is so strange. As far as I know it was done so all users could access ~/Public directory and this does not apply to the directories like .config and .local which could contain private information and application settings.
~/.cache folder still contains 700.
I had correct permissions for those folders before (for example 14.04, 16.04):
/home
----/user1 (755)
--------/Public (755)
--------/.config (700)
--------/.local (700)
--------/.cache (700)
In normal circumstances .config and .local folders will be created by xdg-user-dirs-update utility with 700 permissions. Is it possible that xdg utility doesn't execute correct?

Seth Arnold (seth-arnold) wrote :

Oh, that's an interesting possibility. Thanks.

Changed in ubuntu:
status: Won't Fix → New

On Ubuntu MATE 17.10 I can confirm ~/.config is drwxr-xr-x
However with a new user ~/.cache is drwxrwxr-x and ~/.local is drwx------

Changed in ubuntu:
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

This is definitely a regression compared to previous releases and needs investigation.

Marc Deslauriers (mdeslaur) wrote :

I can reproduce this issue with the 17.10 desktop installer.

Marc Deslauriers (mdeslaur) wrote :

With the 17.04 installer, only .local seems to be affected.

Marc Deslauriers (mdeslaur) wrote :

Looks like 16.04 is unaffected.

Changed in ubuntu:
importance: Undecided → High
Sebastien Bacher (seb128) wrote :

Didier, could you have a look to the session-migration part of the issue?

Changed in session-migration (Ubuntu):
assignee: nobody → Didier Roche (didrocks)
Changed in gnome-session (Ubuntu):
importance: Undecided → High
status: New → Triaged
Didier Roche (didrocks) wrote :

Sure, will have a look on the directory creation permission

Changed in d-conf (Ubuntu):
importance: Undecided → High
status: New → Triaged
Changed in dconf:
importance: Unknown → Medium
status: Unknown → Confirmed
Changed in gnome-session:
importance: Unknown → Medium
status: Unknown → Confirmed
Jeremy Bicha (jbicha) on 2018-01-22
Changed in dconf (Ubuntu):
status: New → Triaged
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package session-migration - 0.3.3

---------------
session-migration (0.3.3) bionic; urgency=medium

  * src/session-migration.c:
    fix default permission when creating unexisting parent directories
    to be 700. (LP: #1735929)

 -- Didier Roche <email address hidden> Tue, 23 Jan 2018 10:31:30 +0100

Changed in session-migration (Ubuntu):
status: Confirmed → Fix Released
Marc Deslauriers (mdeslaur) wrote :

Related bug in ubuntu-mate-welcome: bug 1745929

Marc Deslauriers (mdeslaur) wrote :

Any further progress on these issues?

Will Cooke (willcooke) on 2018-03-26
tags: added: rls-bb-incoming
tags: removed: rls-bb-incoming
Changed in gnome-session (Ubuntu):
assignee: nobody → Sebastien Bacher (seb128)
Changed in d-conf (Ubuntu):
assignee: nobody → Sebastien Bacher (seb128)
Changed in d-conf (Ubuntu Bionic):
status: Triaged → Fix Committed
dino99 (9d9) wrote :

d-conf (0.26.0-2ubuntu3) bionic; urgency=medium

  * 0001-Don-t-create-the-user-config-dir-as-world-readable.patch:
    - create the config dir with permissions 700 so it's not world readable
      (lp: #1735929)

 -- Sebastien Bacher <email address hidden> Thu, 29 Mar 2018 11:01:28 +0200

uh !! bionic-proposed is already at 0.26.1-3ubuntu2

so 0.26.0-2ubuntu3 is supposed to be uploaded to Artful archive , not bionic.

Sebastien Bacher (seb128) wrote :

No, that was "dconf" (rename) and that never migrated to bionic due to armhf autopkgtest issues, I deleted that version to land that fix, the update can be uploaded again if someone figures out the test issues

dino99 (9d9) wrote :

Yeah but that tweak is quite dirty: try to downgrade from 0.26.1-3ubuntu2 to 0.26.0-2ubuntu3, and you are proposed to remove half of the packages list.

Maybe set the proposed version higher than the previous proposed one to bypass that issue.

Jeremy Bicha (jbicha) wrote :

dino99, we can't easily just set the version higher since the autopkgtest issue is triggered by 0.26.1 and higher versions.

http://autopkgtest.ubuntu.com/packages/n/notify-osd/bionic/armhf

Jeremy Bicha (jbicha) wrote :

Also, this is why I try suggesting really strongly to you guys not to run -proposed during the development cycle because these kind of removals happen.

(Maybe you just need to make sure you downgrade all the dconf binary packages at the same time.)

dino99 (9d9) wrote :

Next proposal:

rename to 0.26.1-3ubuntu3+isreally+0.26.0-2ubuntu3

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package d-conf - 0.26.0-2ubuntu3

---------------
d-conf (0.26.0-2ubuntu3) bionic; urgency=medium

  * 0001-Don-t-create-the-user-config-dir-as-world-readable.patch:
    - create the config dir with permissions 700 so it's not world readable
      (lp: #1735929)

 -- Sebastien Bacher <email address hidden> Thu, 29 Mar 2018 11:01:28 +0200

Changed in d-conf (Ubuntu Bionic):
status: Fix Committed → Fix Released
Sebastien Bacher (seb128) wrote :

The weird version is no-go, bionic-proposed is not supposed to be used, it's a pocket designed for packages testing and validation, if you opt in for that you should know what you are doing. It's easy enough to go back, just install dconf-server/bionic libdconf1/bionic etc for all the dconf binaries you need

Sebastien Bacher (seb128) wrote :

Change attached to the upstream bug

Changed in gnome-session (Ubuntu Bionic):
status: Triaged → In Progress
Changed in gnome-session:
status: Confirmed → Fix Released
Jeremy Bicha (jbicha) on 2018-04-10
Changed in gnome-session (Ubuntu Bionic):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-session - 3.28.1-0ubuntu1

---------------
gnome-session (3.28.1-0ubuntu1) bionic; urgency=medium

  * New upstream release
    - Don't create ~/.config as world-readable. (LP: #1735929)
  * Drop xsmp-don-t-check-for-HAVE_XTRANS.patch: Applied in new release

 -- Jeremy Bicha <email address hidden> Tue, 10 Apr 2018 10:09:40 -0400

Changed in gnome-session (Ubuntu Bionic):
status: Fix Committed → Fix Released
Marc Deslauriers (mdeslaur) wrote :

Is there anything left to land here? I just installed the 2018-04-13 desktop iso, and while ~/.config has correct permissions, ~/.local does not.

Changed in xorg-server (Ubuntu Bionic):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → High
status: New → In Progress
status: In Progress → Fix Committed
daniel CURTIS (anoda) wrote :

Hello.

On 16.04 LTS (16.04.4) Release it looks this way:

[~]$ ls -ld .config/
drwxr-xr-x 24 user1 user1 4096 apr 14 18:21 .config/

[~]$ ls -ld .local/
drwx------ 3 user1 user1 4096 apr 30 2017 .local/

Thanks.

Marc Deslauriers (mdeslaur) wrote :

Hi daniel,

I wasn't able to reproduce with 16.04. Did you install the regular Ubuntu desktop, or a specific flavour?

daniel CURTIS (anoda) wrote :

Hi Marc.

I apologize for not mentioning a release type. It's Xubuntu 16.04 LTS. For now, I have no access to my other computer with Ubuntu 16.04 LTS so I can not verify this issue. Sorry.

Is it a problem, that incorrect permission - in this case - are in Xubuntu and not in Ubuntu? Will it be fixed?

Thanks and I apologize once again.

Changed in dconf:
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xorg-server - 2:1.19.6-1ubuntu4

---------------
xorg-server (2:1.19.6-1ubuntu4) bionic; urgency=medium

  * debian/patches/fix-default-permissions.patch: fix default permissions
    when creating the log directory. (LP: #1735929)

 -- Marc Deslauriers <email address hidden> Fri, 13 Apr 2018 11:31:45 -0400

Changed in xorg-server (Ubuntu Bionic):
status: Fix Committed → Fix Released
Marc Deslauriers (mdeslaur) wrote :

I tested the 2018-04-21 daily image, and the permissions on ~/.config and ~/.local are OK now.

Jeremy Bicha (jbicha) on 2018-05-15
no longer affects: dconf (Ubuntu Bionic)
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.