[Bug 1829624] Re: Default permissions(0755 / umask=0022) allow other users to access files behind a password protected user account after login

Chris Rainey ckrzen at gmail.com
Mon May 20 16:37:08 UTC 2019 

*** This bug is a duplicate of bug 48734 ***
    https://bugs.launchpad.net/bugs/48734

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to adduser in Ubuntu.
https://bugs.launchpad.net/bugs/1829624

Title:
  Default permissions(0755 / umask=0022) allow other users to access
  files behind a password protected user account after login

Status in adduser package in Ubuntu:
  New

Bug description:
  By default, Ubuntu Desktop installs new user accounts(adduser or GUI)
  with "other=r-x" or "0755" permissions.

  This defeats the, at least casual, protections afforded by having
  separate and password protected login accounts from other users on the
  local system. Users migrating from other platforms(Windows or macOS)
  have an expectation of privacy in their accounts due to Windows and
  macOS, for example, having protections on their $HOME dirs to prevent
  the casual snooping or otherwise more mischievous actions of other
  $USER's on the local system.

  With the largest potential pool of migrations being from one of the
  above alternative operating systems, the Ubuntu(Linux for Humans)
  desktop installer and adduser.conf file should honor that expectation
  or at least make it an "Opt-Out" instead of an "Opt-In" requirement.

  What is the point, other than the FSF Hierarchy, for having a
  "Public"(0755) folder in each $USER $HOME, if any other user can
  (r)ead or (x)traverse the entire $HOME by default?

  If any of my customers discover this on older systems that I have
  installed or if I forget to set the $HOME DIR_MODE=0750 as a custom
  edit in the /etc/adduser.conf file on all new installs--it could
  greatly jeopardize my security reputation and that of Ubuntu's!

  Use cases for 0755 on Ubuntu Server are not my concern, just Desktop.

  Additionally, I routinely disable the "boot to USB" or other devices
  in the BIOS and passwd protect those settings from tampering with an
  Admin passwd in said BIOS. Very few PC's in the last decade lack this
  level of BIOS configurability.

  I also install all new Ubuntu Desktop's using LUKS+LVM for the entire
  local disk(s) system.

  ProblemType: Bug
  DistroRelease: Ubuntu 19.04
  Package: adduser 3.118ubuntu1
  ProcVersionSignature: Ubuntu 5.0.0-15.16-generic 5.0.6
  Uname: Linux 5.0.0-15-generic x86_64
  ApportVersion: 2.20.10-0ubuntu27
  Architecture: amd64
  Date: Sat May 18 12:45:38 2019
  InstallationDate: Installed on 2018-11-23 (175 days ago)
  InstallationMedia: Ubuntu 18.10 "Cosmic Cuttlefish" - Release amd64 (20181017.3)
  PackageArchitecture: all
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: adduser
  UpgradeStatus: Upgraded to disco on 2019-04-20 (28 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/1829624/+subscriptions

More information about the foundations-bugs mailing list