[ubuntu-hardened] home folder permissions
John Richard Moser
nigelenki at comcast.net
Thu Nov 29 02:00:02 GMT 2007
Martin Pitt wrote:
> Hi Christer,
> Nafallo Bjälevik [2007-11-24 23:20 +0000]:
>> You must have changed that yourself. 022 is the default umask on all yet
>> released Ubuntu versions.
> Indeed. This is not a bug, but a deliberate decision. For home setups,
> 022 is better to allow people to share files easily. Files which are
I believe this thinking is flawed; however, I can agree with the
existence of setups following that.
I feel that there should be a "Shared Documents" folder (as on Windows)
with mode 01777 (temporary) owned by root:root. User home folders
should use mode 700 by default for the actual $HOME node.
I *would* like to say umask 700 *but* in reality it "doesn't really
matter" since you can't access files in mode 0700 folders if you don't
own the folder (regardless) (aside from hardlinks outside). Further,
umask 022 leaves files readable by other users, in the event they fall
into the Shared Documents folder.
I believe this secure-by-default mode important. I suggest that users
have a simple security panel somewhere that allows them to give access
to their home directory, which just 'chmod go+rx $HOME' or 'chmod go=
$HOME' when toggled.
When Ubuntu satisfies the above conditions, users should find that they
can no longer enter other users' $HOME directories. They *should* get
used to using "Shared Documents" instead; however, at individual user
discretion, they *can* just toggle the permissions on their $HOME directory.
When we work on Windows, we juggle around a lot of CI. You may work in
finance, maybe you work for a contractor, maybe you work in IT. Imagine
the IT guy has some pretty sensitive documents in My Documents; when he
logs into MY desktop to fix it, he leaves behind a bunch of router
passwords as his roaming profile comes down.
In Windows I can't go in his folder and grab passwords for all the
routers; in Ubuntu I can. Nobody thinks about this. Users WON'T think
about anything they create in their $HOME and won't automatically
realize--hey anyone else touching this machine can read this! I believe
the responsible thing to do is to make them acknowledge that and
specifically place their documents somewhere world-accessible (or e-mail
them around ffs).
> security sensitive (.bashrc, .viminfo, .ssh, .gpg, .mozilla, etc.) are
> already 0700.
Bring back the Firefox plushy!
More information about the ubuntu-hardened