Ubuntu makes user home directories readable by other users

[Smartin]

Hi,

Edit 2: This is getting scary... Mods have now seen fit to try to bury this in another forum...

The attitude is that nothing must change.

Edit: An overzealous mod has made this thread very confusing by merging several other threads

What this thread is about is exploring the logic behind the decision to make Ubuntu user's Home directories readable by anyone on the box.

This is the original posting:

Hi,

It has recently come to my attention that Ubuntu Desktop sets user's Home folders up as readable by any other user on the box.

To me this is an utterly astonishing thing for a modern operating system to do. I have slept on it and I'm still stunned When I come across something which to me is so obviously off-the-scale insane but is a decision which has been taken by otherwise rational people, it makes me very curious about the logic they applied when the decision was made.

I can only assume that not enough people know about this issue or they would be up in arms about it. It would never have occurred to me that it was the case only I stumbled over it by a fluke.

I respect Ubuntu too much to let this one just go by. Ubuntu is the nearest thing we have to an effective weapon against Microsoft and this is an Achilles heel.

Ubuntu touts itself as 'Secure by design' and many sensible decisions have been taken in this regard: we all have separate user accounts, no services run by default, to log in you need to know a username *and* a password by default, etc, etc. All sensible and logical. There is even a 'sticky' at the top of the 'Security' forum saying words to the effect of 'Use strong passwords and change them regularly'.

Then all home folders are readable by anyone else on the box by default!!

What is the point of *any* password if this is the case?

I have been pointed to places like this
http://brainstorm.ubuntu.com/idea/6106/
and read through the arguments. Some are saying it's not a security issue, it's a privacy issue. To me this is a red herring. A user's home folder should be private *and* secure, period.

I also see 'If someone boots up from a live CD they can read your home folder anyway, so what's the point?'

This is a ridiculous argument. It's like saying 'Don't bother wearing a seatbelt when you are driving, If you get hit by a 20-Tonne truck, you're dead anyway, so what's the point?'

Others are saying it's a convenience thing for people to share files. Well, that's certainly true

Having World-readable Home folders is totaly inconsistent with a modern OS! It needs to be fixed!

Of course we need shared folders but we can quite easily have both shared folders and Private and Secure Home folders. They are not exclusive.

To me, the sensible model is the OSX one: Home folders are readable but any folder within this is not, other than the Web/Apache folder and the Shared folder. This is logical, secure and private. It is also convenient in terms of sharing files.

In fact I would go one step further and have two folders within the Home folder: Private and Shared. Then the conventional folders under these. But I understand that this may be a step too far

Please explain to me the logic behind the current setup, if there is any.

*And* let's not go round the 'It's easy to fix, just do this that and the other' block, I'm talking about *Default settings*. It's important!

Discuss please

Simon

The mid-section may be of interest as background but please jump to about page three for my quest to understand why the decision was made to make home folders world readable.

************************************************** ************************************

Odd one this...

I was given an old computer by our local school. It only has a 40GB drive in it so I hooked up a 320GB USB drive to it.

My boot partition is now on the 40GB drive and *everything* else is on the 320GB drive. (I would have preferred everything to be on the 320GB but couldn't get the box to boot from it)

Now I find that when I create a new user on the box, they are able to traverse the whole file system without being jailed to their own home folder. All users seem to be able to do this.

Even the root folder has access rights given to 'Others'.

Is this because it's an external drive?

What's the permanent fix? It's a drag to have to set permissions on each user specially. Even if I fix user folders manually, what do I do about the root folder?

Thanks

Simon

[asmoore82]

the external drive is probably NTFS for ******* -
all system and user folders in Linux should be a native format
such as ext3, reiserfs, or ext4.

[Smartin]

the external drive is probably NTFS for ******* -
all system and user folders in Linux should be a native format
such as ext3, reiserfs, or ext4.

asmoore82,

Thanks for your response...

The drive is formatted as ext3. I don't allow ******* in the house...

It's something else...

Simon

[michy99]

When you say that all users have access to the root folder, are you talking about / or /root? If you mean / then all users should have read and execute rights, but not write rights. What is the output of

Code:

ls -ld /

[Smartin]

When you say that all users have access to the root folder, are you talking about / or /root? If you mean / then all users should have read and execute rights, but not write rights. What is the output of

Code:

ls -ld /

Michy99,

Thanks for chipping in.

This is beginning to ring bells now. I remember being astonished that users can roam around the Ubuntu file system at will before... It would never happen on my OSX box but let's not go there...

Edit: I take this back!! It is possible. I definitely can't see inside another user's folders inside their home folders though, let alone open a document.

ls -l / gives me

Code:

rwxr-xr-x   2 root root  4096 2009-07-10 08:21 bin
drwxr-xr-x   4 root root  4096 2009-07-10 08:20 boot
lrwxrwxrwx   1 root root    11 2009-07-10 08:04 cdrom -> media/cdrom
drwxr-xr-x  16 root root  3960 2009-07-10 10:28 dev
drwxr-xr-x 124 root root  4096 2009-07-10 10:28 etc
drwxr-xr-x   4 root root  4096 2009-07-10 10:11 home
lrwxrwxrwx   1 root root    33 2009-07-10 08:20 initrd.img -> boot/initrd.img-2.6.28-11-generic
drwxr-xr-x  19 root root  4096 2009-07-10 08:21 lib
drwx------   2 root root 16384 2009-07-10 08:03 lost+found
drwxr-xr-x   4 root root  4096 2009-04-20 14:59 media
drwxr-xr-x   2 root root  4096 2009-04-13 10:33 mnt
drwxr-xr-x   2 root root  4096 2009-04-20 14:59 opt
dr-xr-xr-x 125 root root     0 2009-07-10 09:32 proc
drwx------   4 root root  4096 2009-07-10 09:32 root
drwxr-xr-x   2 root root  4096 2009-07-10 08:21 sbin
drwxr-xr-x   2 root root  4096 2009-03-06 16:21 selinux
drwxr-xr-x   2 root root  4096 2009-04-20 14:59 srv
drwxr-xr-x  12 root root     0 2009-07-10 09:32 sys
drwxrwxrwt  19 root root  4096 2009-07-10 10:28 tmp
drwxr-xr-x  11 root root  4096 2009-04-20 15:00 usr
drwxr-xr-x  15 root root  4096 2009-04-20 15:07 var
lrwxrwxrwx   1 root root    30 2009-07-10 08:20 vmlinuz -> boot/vmlinuz-2.6.28-11-generic

I confess to being a newb and knowing next to nothing about this but to my mind only
/root and /lost+found have the correct permissions. No?
This may be as it should, and I find it incredible in itself, but the permissions in my home folder

Code:

drwxr-xr-x 2 myname myname 4096 2009-07-10 08:56 Desktop
drwxr-xr-x 2 myname myname 4096 2009-07-10 08:56 Documents
-rw-r--r-- 1 myname myname  357 2009-07-10 08:17 examples.desktop
drwxr-xr-x 2 myname myname 4096 2009-07-10 08:56 Music
drwxr-xr-x 2 myname myname 4096 2009-07-10 08:56 Pictures
drwxr-xr-x 2 myname myname 4096 2009-07-10 08:56 Public
drwxr-xr-x 2 myname myname 4096 2009-07-10 08:56 Templates
drwxr-xr-x 2 myname myname 4096 2009-07-10 08:56 Videos

seem to allow any other user to access all my files.

I have just tested this by creating a test user and saving a test file on my own desktop. The test user can open and read the document when logged in to their own account.

This is on a fresh install of Jaunty, installed since my first post to make *triply* sure everything is formatted as ext3.

How can this happen? What is the permanent fix?

Isn't it a security risk to allow all users access, in any way, to the root file system? It gives me a heads-up as to username/password for a start...

I'm sure this is user error but I'm still astonished/intrigued...

Help please!!

Simon

[CatKiller]

the permissions in my home folder
seem to allow any other user to access all my files.

Yes. I don't know why it's like that, but a default install does allow each user to see the contents of each other user's Home folders. Just remove the read permission for group and others and you should be fine.

Isn't it a security risk to allow all users access, in any way, to the root file system? It gives me a heads-up as to username/password for a start...

How would one run the programs that are stored on the filesystem if one could not access the filesystem? And I have no idea how you might guess anyone's password from anything in the filesystem.

Knowing the username of other users when you already have access to the machine is pretty standard. You can have the login screen show you what they all look like too if you like.

It is possible to set your machine up to run as a kiosk if you want, but I doubt that it is.

[Smartin]

Catkiller,

Yes. I don't know why it's like that, but a default install does allow each user to see the contents of each other user's Home folders. Just remove the read permission for group and others and you should be fine.

So it seems... But surely actually being able to *read a document* isn't right??

I find it incredible that another user can even *see inside* my home folder! Incredible!

I understand it's easily remedied but it just shouldn't be that way.

How would one run the programs that are stored on the filesystem if one could not access the filesystem? And I have no idea how you might guess anyone's password from anything in the filesystem.

Knowing the username of other users when you already have access to the machine is pretty standard. You can have the login screen show you what they all look like too if you like.

Surely running an application is different from actually roaming around the system? A malicious user could garner all sorts of useful info.

As to the username/password issue, the default is that you have to know *both* the username and the password to log in. This seems sensible. Once I can roam around the file system, I can see the username quite easily. 50% less secure in a moment. Very uncool.

As to being able to actually open another user's documents, that's plain ridiculous! Surely that's not intended.

*Please* tell me I screwed up my install somehow or that it's due to my home folders being on an external disk. *Please*...

Simon

[Mka]

Try:

Code:

sudo chmod 700 /home/*

[Smartin]

Try:

Code:

sudo chmod 700 /home/*

Mka,

Thanks for that but my point is that it should absolutely not be necessary.

It's seriously making me re-evaluate whether I keep using Ubuntu as a Desktop OS.

... and I'm still convinced that I shouldn't be able to actually *open* another user's documents...

Everyone seems pretty cool about this. I'm stunned.

Simon

[michy99]

If you have anything you want to keep private, you need to encrypt it. Even if you set your home folder to 700 and don't give other users admin privileges, all they have to do is boot from a live CD and they have access to anything on the disk. This is true of any operating system.