[ubuntu-hardened] home folder permissions

John Richard Moser nigelenki at comcast.net
Thu Nov 29 02:00:02 GMT 2007

Martin Pitt wrote:
> Hi Christer,
> Nafallo Bjälevik [2007-11-24 23:20 +0000]:
>> You must have changed that yourself. 022 is the default umask on all yet
>> released Ubuntu versions.
> Indeed. This is not a bug, but a deliberate decision. For home setups,
> 022 is better to allow people to share files easily. Files which are

I believe this thinking is flawed; however, I can agree with the 
existence of setups following that.

I feel that there should be a "Shared Documents" folder (as on Windows) 
with mode 01777 (temporary) owned by root:root.  User home folders 
should use mode 700 by default for the actual $HOME node.

I *would* like to say umask 700 *but* in reality it "doesn't really 
matter" since you can't access files in mode 0700 folders if you don't 
own the folder (regardless) (aside from hardlinks outside).  Further, 
umask 022 leaves files readable by other users, in the event they fall 
into the Shared Documents folder.

I believe this secure-by-default mode important.  I suggest that users 
have a simple security panel somewhere that allows them to give access 
to their home directory, which just 'chmod go+rx $HOME' or 'chmod go= 
$HOME' when toggled.

When Ubuntu satisfies the above conditions, users should find that they 
can no longer enter other users' $HOME directories.  They *should* get 
used to using "Shared Documents" instead; however, at individual user 
discretion, they *can* just toggle the permissions on their $HOME directory.

When we work on Windows, we juggle around a lot of CI.  You may work in 
finance, maybe you work for a contractor, maybe you work in IT.  Imagine 
the IT guy has some pretty sensitive documents in My Documents; when he 
logs into MY desktop to fix it, he leaves behind a bunch of router 
passwords as his roaming profile comes down.

In Windows I can't go in his folder and grab passwords for all the 
routers; in Ubuntu I can.  Nobody thinks about this.  Users WON'T think 
about anything they create in their $HOME and won't automatically 
realize--hey anyone else touching this machine can read this!  I believe 
the responsible thing to do is to make them acknowledge that and 
specifically place their documents somewhere world-accessible (or e-mail 
them around ffs).

> security sensitive (.bashrc, .viminfo, .ssh, .gpg, .mozilla, etc.) are
> already 0700.
> Martin

Bring back the Firefox plushy!

More information about the ubuntu-hardened mailing list