Default permissions

On Thu, Oct 20, 2005 at 01:51:43PM -0400, John Richard Moser wrote:
> On a typical Ubuntu install, /root is rwxr-xr-x.  The first created home
> folder follows this pattern; although the second doesn't seem to fit the
> bill.  To illustrated this, I created a Breezy (released) system with a
> user "john," then logged in as "john" and created account "rusty"
> through system->administration->users and groups.

It's a bug if users-admin doesn't behave the same way as adduser.

> john at iceserver:~$ ls -l /home/
> total 8
> drwxr-xr-x  14 john  john  4096 2005-10-19 17:31 john
> drwx------  14 rusty rusty 4096 2005-10-19 22:01 rusty
> 
> No intentional chmoding was done.
> 
> We know that the first user created in Ubuntu is sudoable; thus, 'john'
> is an administrator.  'rusty' may or may not be.  It appears here that
> we could look at a multi-user machine of 1000 users and single out the
> administrator unless intentional chmodding or transfer of adminship was
> passed to another account.

How about 'getent passwd | grep 1000', or getpwuid(1000) from C, or all
kinds of other methods? The information you suggest is being leaked is
already available in a host of other ways.

> As we can see, our applications are quite well designed.  .Trash is even
> locked down so you can't view the garbage file when you hack the gibson.
>  It's not safe to assume that all applications are as nice, though
> happily .mozilla appears to umask(0700), lest we leak credit card IDs.

Remember that any such vulnerability would have to be fixed anyway.

> john at iceserver:~$ cat /home/john/.gnome/gnome-vfs/.trash_entry_cache
> /var -
> / -
> /media/lesbian_porn -

I don't think it's Ubuntu's job to prevent your wife from finding out
about your porn stash or your children from looking at it. :-) (If other
users were reasonably competent, they could easily write a small program
which reported back to them on directories appearing in /media, anyway.
This is only going to get easier, not harder ...)

> When you use something like gtk-gnutella, openoffice.org, Firefox, or
> Thunderbird to save a file, it's saved with the current umask.  Thus,
> any files created by the user are fully readable to world.  This
> includes journal entries, private letters, financial statements, porn, etc.

See the mail I sent to this thread a moment ago.

Rather than making it actively difficult for users on the same system
(who, as I explained, will often be associated with each other and have
useful information to share with each other) to share files, I'd much
rather see increased UI prominence for permissions on files, so that
it's obvious when a file is world-readable and obvious how to hide its
contents.

Cheers,

-- 
Colin Watson                                       [cjwatson at ubuntu.com]