[Bug 48734] Re: Home permissions too open

Bruno Nova 48734 at bugs.launchpad.net
Tue Jul 1 13:02:37 UTC 2014 

I think the current permissions are not perfect.

On one hand, I understand that locking down the home folder (700 permissions) would create some problems.
Samba wouldn't be able to share any folder inside ~/ to other users (especially guest users), Apache wouldn't be able to access ~/public_html (if using Apache userdir module), users would have difficulty sharing files and folders to others and be confused, etc.

On the other hand, this is a privacy/security issue. Most people think that their home folders are private.
At least the guest session cannot access /home, and encrypted home folders are private, so it's not completely terrible.

In my humble opinion, the home folder should remain open (755 permissions), but all default folders and files inside (including ~/.config, ~/.local, etc.) should be made private (700 permissions) by default, except ~/Public.
Users can then change the permissions to share something, or move the files to ~/Public.
The file manager could also warn the user, in the permissions tab, when a file/folder, according to its permissions, should be accessible by others/group, but isn't because the parent folders are not accessible (fixing some confusion).
This would probably mean patching xdg-user-dirs-update and other stuff.

If not, the users should at least be warned that everyone can access their home folders.
This could be achieved by adding an information/warning balloon/tip to the file manager when it's in the home folder (like Nautilus does in ~/Templates), and if it's world readable (but allow the warning to be dismissed).
The warning could also be added to the "encrypt home folder" option during the installation: if it's not selected, warn the user that the home folder will be accessible by other users.

As a side note, it would be awesome if the file manager could show and manage ACLs (and setuid, setgid and sticky bits) out of the box, like KDE's Dolphin does. This would make sharing files with a specific user even easier.
"eiciel" adds ACL support to Nautilus, but it's not installed by default.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to adduser in Ubuntu.
https://bugs.launchpad.net/bugs/48734

Title:
  Home permissions too open

Status in “adduser” package in Ubuntu:
  Opinion

Bug description:
  Binary package hint: debian-installer

  On a fresh dapper install i noticed that the file permissons for the
  home directory for the user created by the installer is set to 755,
  giving read access to everyone on the system.

  Surely this is a bad idea? If your set on the idea can we atleast have
  a option during the boot proccess?

  Also new files that are created via the console ('touch' etc.) are
  done so with '644' permissons, is there anything that can be done
  here? nautlius seems to create files at '600', which is a better
  setting.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions

More information about the foundations-bugs mailing list