Big Hole
Colin Watson
cjwatson at ubuntu.com
Tue Feb 8 16:37:11 UTC 2005
On Tue, Feb 08, 2005 at 10:56:23AM -0500, Tres Seaver wrote:
> Colin Watson wrote:
> | On Mon, Feb 07, 2005 at 07:33:11PM +0000, baza wrote:
> |>I think I've found a security hole in my Hoary box.
> |>
> |>Without changing any of the default permissions a user on a multi-user
> |>box can see the files in an other persons Home directory????
> |
> | That's a feature, not a bug. (It's awkward for users to share files
> | otherwise, which is a frequent use of a multi-user box.) If you want a
> | private directory inside which other users can't see, use 'chmod o-rwx'
> | to make other users have no permissions on it.
>
> FWIW, the typical homedir has *lots* of stuff in it which probably
> shouldn't be exposed by default (.bash_history, for instance, as well as
> other dotfiles / configuration directories).
.bash_history is mode 600 by default, as (to my knowledge) are other
dot-directories and dotfiles that shouldn't be world-readable. It would
be a serious security issue if they were not, warranting an update to
the stable release.
The *existence* of those files is not secret.
> I could perhaps see adding a 'shared' directory ('o+rx') to '/etc/skel',
> and making the homedirs 'o+x' to allow access to it.
If the dotfiles you mention did not have appropriate permissions
already, then that would be no defence, since ".bash_history" is a
well-known name.
Cheers,
--
Colin Watson [cjwatson at ubuntu.com]
More information about the ubuntu-users
mailing list