Survey: /root/ is world readable - did you know

Adam Conrad adconrad at ubuntu.com
Mon Apr 24 08:36:34 UTC 2006 

Chanchao wrote:
> On Mon, 2006-04-24 at 08:26 +0200, nodata wrote:
> 
>> I was surprised to learn that the super-users directory, /root/ is 
>> world-readable, anyone can read files in there.
>> 
>> Just a quick survey: did you realise this?

There's no harm in /root/ being world readable, since we place nothing
sensitive there by default.  If *you* choose to use /root/ to store
sensitive data, no one's stopping you from doing a "chmod 0700 /root".
Your change won't get reverted by the packaging system.

> I never wondered about /root/ specifically, but I did realise that
> (and indeed wondered why) a lot of the system files and logs are
> world readable.

If there is anything potentially sensitive that is world readable,
please file a bug on it, rather than making vague references on a
mailing list.

> Similarly, user's home folders are world readable by default, which I
>  frankly find even harder to understand.

Same as above, nothing in ~user/ is assumed to be particularly
sensitive, except for the things that are already protected.  If you
prefer to have home directories be 0751 (note that you probably want
0751, not 0750, so people can traverse homes to get to, say,
~/public_html/ and the like), you can "dpkg-reconfigure adduser" and
answer "no" the "system wide readable home directories" question.  This
won't affect current user's home directories (you can change those
manually), but will affect any future home directories created by adduser.

> It becomes even more hard to understand when you realize that for
> example Firefox bookmarks and form-data history and browser-history
> files are world readable.

Uhm, ~/.mozilla is 0700 on my machine, and always has been.  Not sure
what you're on about with this one.  The fact that it's *contents* may
or may not be world-readable is irrelevant, since you need to be able to
traverse the directory to get there.

> Same for Evolution.. WHAT?? (2) I completely cannot believe this!

Same argument for evolution, though in this case, it seems to keep
private data in a few locations, but none seem to be world-readable here.

> I think in Unix-derived OS's, 'security' seems to be limited to the 
> system itself.  We've discussed this before, how the system seems 
> bullet-proof protected, but very little stands in the way of 
> accidentally wiping out your own valuable and irreplacable files,
> either by yourself by mistake or through some trojan-horse type of
> program that you run.

Now you're off on a tangent.  "Protecting you from other users of the
system" has nothing to do with "Protecting you from yourself".  Of
course any process running as YOU will be able to delete and alter the
same files YOU can.  If you don't like this, do your day-to-day computer
usage as a user that has virtually no write access to anything.  You
might not get much done, but I guess you'll not delete your data either.

... Adam

More information about the ubuntu-users mailing list