John Richard Moser nigelenki at comcast.net
Thu Oct 20 12:51:43 CDT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As requested on bug #17424, this discussion is being brought to this list.

I feel it needs to be determined whether or not the default umasks and
/home or /root directories need to be 0700 or not.  I have come up with
several reasons why the current setting of 0755 is a problem.

 ===Information leakage===

On a typical Ubuntu install, /root is rwxr-xr-x.  The first created home
folder follows this pattern; although the second doesn't seem to fit the
bill.  To illustrated this, I created a Breezy (released) system with a
user "john," then logged in as "john" and created account "rusty"
through system->administration->users and groups.  My /home looks as
follows:

john at iceserver:~$ ls -l /home/
total 8
drwxr-xr-x  14 john  john  4096 2005-10-19 17:31 john
drwx------  14 rusty rusty 4096 2005-10-19 22:01 rusty

No intentional chmoding was done.

We know that the first user created in Ubuntu is sudoable; thus, 'john'
is an administrator.  'rusty' may or may not be.  It appears here that
we could look at a multi-user machine of 1000 users and single out the
administrator unless intentional chmodding or transfer of adminship was
passed to another account.  This gives us a useful account to try to
discover the password on.

(for reference, 'rusty' is also an administrator)


===Insecure information store===
Poorly written applications are a hazard.  We would hope in a perfect
world that applications are all smart enough to umask(0700) if they
write sensitive information; some of us would pretend this is a reality.
 Here is a view of /home/john:

 john at iceserver:~$ ls -lA /home/john/
total 36
- -rw-------  1 john john 1035 2005-10-19 21:59 .bash_history
- -rw-r--r--  1 john john  414 2003-01-26 19:56 .bash_profile
- -rw-r--r--  1 john john 2227 2003-01-26 19:56 .bashrc
drwxr-xr-x  2 john john    6 2003-01-28 21:12 Desktop
- -rw-------  1 john john   26 2003-01-28 21:12 .dmrc
- -rw-------  1 john john   16 2003-01-28 21:12 .esd_auth
drwx------  4 john john   31 2005-10-19 17:29 .gconf
drwx------  2 john john   24 2005-10-19 17:31 .gconfd
- -rw-r-----  1 john john    0 2005-10-19 17:29 .gksu.lock
drwxr-xr-x  3 john john   22 2003-01-28 21:12 .gnome
drwx------  6 john john   69 2005-10-19 17:31 .gnome2
drwx------  2 john john    6 2003-01-28 21:12 .gnome2_private
drwxr-xr-x  2 john john   25 2003-01-28 21:12 .gstreamer-0.8
- -rw-r--r--  1 john john   86 2003-01-28 21:12 .gtkrc-1.2-gnome2
- -rw-------  1 john john    0 2005-10-19 17:31 .ICEauthority
drwx------  3 john john   21 2003-01-28 21:12 .metacity
drwx------  3 john john   33 2003-01-28 21:27 .mozilla
drwxr-xr-x  3 john john   22 2003-01-28 21:12 .nautilus
drwx------  2 john john    6 2003-01-28 21:12 .Trash
drwx------  2 john john   23 2003-01-28 21:21 .update-notifier
- -rw-r--r--  1 john john 9394 2005-10-19 17:31 .xsession-errors

As we can see, our applications are quite well designed.  .Trash is even
locked down so you can't view the garbage file when you hack the gibson.
 It's not safe to assume that all applications are as nice, though
happily .mozilla appears to umask(0700), lest we leak credit card IDs.

We may not always be so fortunate that an FTP client or an obscure Web
browser like Dillo with SSL/JS/Form history plug-ins would  do this.
One day you could look and see tiny little rwxr-xr-x and rwxr--r-- files
lying around, which would be an unfortunate and unpredicted disaster.

john at iceserver:~$ ls -ld /home/john/.gnome/
drwxr-xr-x  3 john john 22 2003-01-28 21:12 /home/john/.gnome/
john at iceserver:~$ ls -ld /home/john/.gnome/gnome-vfs/
drwxr-xr-x  2 john john 31 2003-01-28 21:12 /home/john/.gnome/gnome-vfs/
john at iceserver:~$ ls -ld /home/john/.gnome/gnome-vfs/.trash_entry_cache
- -rw-r--r--  1 john john 11 2005-10-19 17:29
/home/john/.gnome/gnome-vfs/.trash_entry_cache
john at iceserver:~$ cat /home/john/.gnome/gnome-vfs/.trash_entry_cache
/var -
/ -
/media/lesbian_porn -

Gotta love how gnome-vfs and Hal respect FAT volume labels.


===User-driven insecure information store===
When you use something like gtk-gnutella, openoffice.org, Firefox, or
Thunderbird to save a file, it's saved with the current umask.  Thus,
any files created by the user are fully readable to world.  This
includes journal entries, private letters, financial statements, porn, etc.

To take one extreme, an executive could write a letter containing
confidential information, to mail, in OpenOffice.org over either XDMCP,
FreeNX, or an NFS /home directory.  In his local office, he may use a
shared server with a weaker workstation, and may write the letter on the
server just because he's already FreeNX'd in and it's convenient.  So
now his letter is readable by others who may access the server.

In the other direction, there are countless implications that can be
made about storing sensitive DVD rips in your own account away from the
prying access of your 9 year old daughter, who can browse to your /home
folder and view the rw-r--r-- files anyway.


- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

    Creative brains are a valuable, limited resource. They shouldn't be
    wasted on re-inventing the wheel when there are so many fascinating
    new problems waiting out there.
                                                 -- Eric Steven Raymond
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDV9kuhDd4aOud5P8RAhKLAJ4q2pL2tXMdFGZsR84Bkza1PUT+ugCggLOS
X6kC+m5M2u2cKwGHPr/AUqQ=
=e4kg
-----END PGP SIGNATURE-----

More information about the ubuntu-devel mailing list