[Bug 1790377] Re: Ubuntu 18.04.1 and below: Information disclosure through world readable by default home directory permissions
Alex Murray
alex.murray at canonical.com
Mon Sep 17 09:47:23 UTC 2018
*** This bug is a duplicate of bug 48734 ***
https://bugs.launchpad.net/bugs/48734
** This bug has been marked a duplicate of bug 48734
Home permissions too open
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1790377
Title:
Ubuntu 18.04.1 and below: Information disclosure through world
readable by default home directory permissions
Status in shadow package in Ubuntu:
New
Bug description:
1)Ubuntu 18.04.1
2)package passwd 4.5-1ubuntu1 (shadow)
3)Expected default home directory permissions of 0700 (no one should be able to read anyone else's files - probably required by European GDPR and others).
4) Home directory permissions of the first created user (potential
root via sudo) on fresh Ubuntu 18.04.1 installation are 0755 (world
read and executable).
useradd -m NEWUSER also creates home directories with 0755 permissions
(rx by world).
Creating a new User via GUI also creates home directories with 0755
permissions (rx by world).
GUI unfortunately creates Documents, Music, Videos, ... with world
readable permissions too (another OS I have seen insecure home
directory permissions too, but there at least the subfolders did not
have world readable permissions).
Thus every local user can read files created by other local users
(security type "Loss of Privacy"). That there are other ways to read
non-encrypted files is no excuse for such open permissions.
If i.e. this was a web server and Apache is badly configured it could
be used to remotely read confidential information without valid
credentials too (increases risk and exploitability).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1790377/+subscriptions
More information about the foundations-bugs
mailing list