[Bug 48734] Re: Home permissions too open

Alkis Georgopoulos 48734 at bugs.launchpad.net
Mon Sep 12 07:39:37 UTC 2022 

Schools have started installing/upgrading to 22.04.1 and we're just now
seeing this.

This change takes away the ability of the users to share some of their data WITHOUT involving the administrator.
It's not "privacy by default", it's "mandatory privacy".
Privacy by default could be done with umask.

Administrative actions can mitigate the issue, but they're tricky as they cannot easily be applied to users that haven't logged in yet and folders that don't exist yet.
Sudoer scripts that would give the ability to the users to share stuff by themselves can be a worse security risk.

On the other hand, encrypted home directories is a trend with similar
issues.

I guess it'll be a bit easier to rewrite all the programs that need access to /home/username to use other locations such as /run/user/XXX, /home/shared/XXX, /home/public_html/XXX, /var/lib/AccountsService/users/user/face.png, /var/spool/* etc,
than to introduce an XDG specification for a new /home/user/private directory, and rewrite all the programs that need private or encryped data to use that one. That would be a much cleaner solution, but it can't be a goal for a single distribution.

So while this change does require us to spend some weeks reimplementing
our shared folders software, it might be for the best, let's see how it
goes. Cheers!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/48734

Title:
  Home permissions too open

Status in adduser package in Ubuntu:
  Fix Released
Status in shadow package in Ubuntu:
  Fix Released
Status in adduser source package in Hirsute:
  Fix Released
Status in shadow source package in Hirsute:
  Fix Released
Status in Ubuntu RTM:
  Opinion

Bug description:
  Binary package hint: debian-installer

  On a fresh dapper install i noticed that the file permissons for the
  home directory for the user created by the installer is set to 755,
  giving read access to everyone on the system.

  Surely this is a bad idea? If your set on the idea can we atleast have
  a option during the boot proccess?

  Also new files that are created via the console ('touch' etc.) are
  done so with '644' permissons, is there anything that can be done
  here? nautlius seems to create files at '600', which is a better
  setting.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions

More information about the foundations-bugs mailing list