Re: [Touch-packages] [Bug 48734] Re: Home permissions too open
On Mon, Sep 12, 2022 at 07:39:37AM -, Alkis Georgopoulos wrote: > This change takes away the ability of the users to share some of their > data WITHOUT involving the administrator. Hello Alkis, do note that it is typical for users to own their own home directory; if a user wishes to share, they can run: chmod 755 ~ or chmod 751 ~ (The choice is based on whether they want to allow listing their home directory or not.) Of course, they'd be wise to inspect the permissions on their other files and directories to make sure they're only sharing what they intend to share. Of course, if the local administrator has decided that users cannot own their own home directories, then that's another question entirely, one you'll need to take up with the local administrator. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Fix Released Status in shadow package in Ubuntu: Fix Released Status in adduser source package in Hirsute: Fix Released Status in shadow source package in Hirsute: Fix Released Status in Ubuntu RTM: Opinion Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
Great! Thank you for prioritizing the user's privacy! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Fix Released Status in shadow package in Ubuntu: Fix Released Status in adduser source package in Hirsute: Fix Released Status in shadow source package in Hirsute: Fix Released Status in Ubuntu RTM: Opinion Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
Schools have started installing/upgrading to 22.04.1 and we're just now seeing this. This change takes away the ability of the users to share some of their data WITHOUT involving the administrator. It's not "privacy by default", it's "mandatory privacy". Privacy by default could be done with umask. Administrative actions can mitigate the issue, but they're tricky as they cannot easily be applied to users that haven't logged in yet and folders that don't exist yet. Sudoer scripts that would give the ability to the users to share stuff by themselves can be a worse security risk. On the other hand, encrypted home directories is a trend with similar issues. I guess it'll be a bit easier to rewrite all the programs that need access to /home/username to use other locations such as /run/user/XXX, /home/shared/XXX, /home/public_html/XXX, /var/lib/AccountsService/users/user/face.png, /var/spool/* etc, than to introduce an XDG specification for a new /home/user/private directory, and rewrite all the programs that need private or encryped data to use that one. That would be a much cleaner solution, but it can't be a goal for a single distribution. So while this change does require us to spend some weeks reimplementing our shared folders software, it might be for the best, let's see how it goes. Cheers! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Fix Released Status in shadow package in Ubuntu: Fix Released Status in adduser source package in Hirsute: Fix Released Status in shadow source package in Hirsute: Fix Released Status in Ubuntu RTM: Opinion Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
As noted in the discourse thread on this https://discourse.ubuntu.com/t /private-home-directories-for-ubuntu-21-04-onwards/19533 - I think a similar ACL approach should be able to be used to give the www-data user or similar access to your home dir for ~/public_html or for samba as needed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Fix Released Status in shadow package in Ubuntu: Fix Released Status in adduser source package in Hirsute: Fix Released Status in shadow source package in Hirsute: Fix Released Status in Ubuntu RTM: Opinion Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
Just two things that are broken with DIR_MODE=0750 (Which are still perfectly supported with the proof-of-concept lock-down plus improved-usability script from last the post. Independently from the additional group directories that it introduces.) * samba usershares * ~/public_html -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Fix Released Status in shadow package in Ubuntu: Fix Released Status in adduser source package in Hirsute: Fix Released Status in shadow source package in Hirsute: Fix Released Status in Ubuntu RTM: Opinion Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
--- Avoiding the caveat of "this does not work"? --- You may just not have thought yet of this solution that can be implemented with little adjustment: ( Privacy by default? YES, even with improved usability! ) Here is a trial script: https://salsa.debian.org/freedombox-team/freedombox/-/snippets/518 The privacy by default solution goes along these lines: * Simply let $HOME point to /home//public_html * /home//incoming * /home/group/users/ * /home/group/admin/private * /home/group/admin/incoming These kind of different problems just need to be seen and solved together. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Fix Released Status in shadow package in Ubuntu: Fix Released Status in adduser source package in Hirsute: Fix Released Status in shadow source package in Hirsute: Fix Released Status in Ubuntu RTM: Opinion Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
Hello, I’m original bug reporter back from 2006 and I’ve been watching the development of this bug over the years and I just wanted to say a big thank everyone for getting this sorted! - Dan -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Fix Released Status in shadow package in Ubuntu: Fix Released Status in adduser source package in Hirsute: Fix Released Status in shadow source package in Hirsute: Fix Released Status in Ubuntu RTM: Opinion Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 48734] Re: Home permissions too open
On 18/01/2021 12:46, Launchpad Bug Tracker wrote: > This bug was fixed in the package adduser - 3.118ubuntu5 > > ** Changed in: adduser (Ubuntu Hirsute) >Status: Fix Committed => Fix Released \o/ Well done and thank you to everyone who worked to make this happen. I wonder if there will ever be another LP bug <50k that gets fix- released? Mark -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Fix Released Status in shadow package in Ubuntu: Fix Released Status in adduser source package in Hirsute: Fix Released Status in shadow source package in Hirsute: Fix Released Status in Ubuntu RTM: Opinion Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
This bug was fixed in the package adduser - 3.118ubuntu5 --- adduser (3.118ubuntu5) hirsute; urgency=medium * Enable private home directories by default (LP: #48734) - Set DIR_MODE=0750 in the default adduser.conf - Change the description and default value to select private home directories by default in debconf template - Change the DIR_MODE when private home directories is configured via debconf from 0751 to 0750 to ensure files are truly private -- Alex Murray Wed, 06 Jan 2021 16:46:50 +1030 ** Changed in: adduser (Ubuntu Hirsute) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Fix Released Status in shadow package in Ubuntu: Fix Released Status in adduser source package in Hirsute: Fix Released Status in shadow source package in Hirsute: Fix Released Status in Ubuntu RTM: Opinion Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
The issue with rootless podman userns mapping is described here (postgres db confined in host user home): https://www.redhat.com/sysadmin/rootless-podman-makes-sense -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Fix Committed Status in shadow package in Ubuntu: Fix Released Status in adduser source package in Hirsute: Fix Committed Status in shadow source package in Hirsute: Fix Released Status in Ubuntu RTM: Opinion Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
Probably, behind the original decision there were also issues of home access, required by some unprivileged services, like apache (userdir). Today, letting all users accessing any ~/Doc,~/Pic,~/Video look like a huge security hole (MS Windows deny this). But anyway, today 'user' access should support user namespaces (subuid/subgid) This is required for rootless container development (podman, docker). Another point is "sandbox model" by snap/flatpak. In particular in "partial" supported scenarios: Snap+SeLinux (fedora) and Flatpak+AppArmor (ubuntu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Fix Committed Status in shadow package in Ubuntu: Fix Released Status in adduser source package in Hirsute: Fix Committed Status in shadow source package in Hirsute: Fix Released Status in Ubuntu RTM: Opinion Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
Updates for adduser and shadow were both uploaded to hirsute-proposed yesterday as per https://lists.ubuntu.com/archives/ubuntu-devel- discuss/2021-January/018901.html: https://launchpad.net/ubuntu/+source/shadow/1:4.8.1-1ubuntu8 https://launchpad.net/ubuntu/+source/adduser/3.118ubuntu5 shadow has already migrated to the release pocket, and with any luck adduser will migrate soon too which should resolve this issue. ** Also affects: shadow (Ubuntu) Importance: Undecided Status: New ** Also affects: adduser (Ubuntu Hirsute) Importance: Medium Status: Opinion ** Also affects: shadow (Ubuntu Hirsute) Importance: Undecided Status: New ** Changed in: adduser (Ubuntu Hirsute) Status: Opinion => Fix Committed ** Changed in: shadow (Ubuntu Hirsute) Status: New => Fix Committed ** Changed in: shadow (Ubuntu Hirsute) Status: Fix Committed => Fix Released ** Changed in: shadow (Ubuntu Hirsute) Assignee: (unassigned) => Alex Murray (alexmurray) ** Changed in: adduser (Ubuntu Hirsute) Assignee: (unassigned) => Alex Murray (alexmurray) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Fix Committed Status in shadow package in Ubuntu: Fix Released Status in adduser source package in Hirsute: Fix Committed Status in shadow source package in Hirsute: Fix Released Status in Ubuntu RTM: Opinion Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
Just chiming in here to add my support for this. I don't think there's anything more to say really. It's already been said very clearly why this should be changed. We should always have privacy by default. It genuinely boggles my mind that there would be any opposition to this. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Opinion Status in Ubuntu RTM: Opinion Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
It really surprises me (negatively) that most Ubuntu experts seem to agree on this design decision. Isn't a well accepted fact that security can affect usability?. Now, about: > We assume that the people who share the machine are either trusted, or in a position to hack the machine (boot from USB!) trivially. That assumption is not correct for me, for example, when I lend my computer to someone else, I don't usually trust them completely (so I'm still sitting near enough so they can't boot from an USB without being caught) and I just want to share with them the minimum they need to get their work done and having access to my personal files is not part of what they require. And about: > Now, in a more complex environment, like a university machine with many users, people do not have access to the hardware and can't easily root the box, but they also have the sysadmin skills to change the default permission. I think that it doesn't hold a totally valid point as sysadmins like me tend to think that the default system settings are always secure enough for most regular deployments, so you don't think it is a good idea to change those settings unless you've read a thread like this one... which not everyone is willing to look for and then read. Finally, it seems to me that this default setting damages Linux reputation (for non-experts) of being a secure OS. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Opinion Status in Ubuntu RTM: Opinion Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
** Changed in: ubuntu-rtm Status: New => Won't Fix ** Changed in: ubuntu-rtm Status: Won't Fix => Opinion -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Opinion Status in Ubuntu RTM: Opinion Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
It has been my experience, lately, that individuals or families sharing a computer have a single login account, i.e. "Family", etc.. This is probably due to the perception by such simple-needs $USER's or their family I.T. guru, that--it is the easiest way to overcome the reasonable and appropriate account isolation techniques, by default, in Windows or macOS. I suggest that the same could be true for Ubuntu and it would hardly be noticed, except by experienced *nix $USERS, most of whom-- would already know how to twiddle the appropriate bits, if needed, to open their $HOMES. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Opinion Status in Ubuntu RTM: New Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
If I invite you into my house(physical), then I don't expect you to go through my filing cabinets or closets, when I'm not looking, without explicitly giving you those "permissions(0755)". "Good fences make good neighbours" and "Locks keep out only the honest" are equally true. Placing convenience-over-privacy, by default, in this post-GDPR / Facebook & Twitter leaks / Equifax breach / Edward Snowden & Julian Assange(perhaps heroes to those of us in the USA), etc. seems to be unconscionable. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Opinion Status in Ubuntu RTM: New Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
Whoa...Robbie, I'm just looking out for all the new user's and admin's that are coming in from other platforms that could reasonably be surprised by this and not Unix/Linux veteran's who broke their teeth with vi on Slackware, etc.. Believe it or not, with WSL-2 and other notable advancements of Ubuntu coming on to the radar of mainstream and mostly Microsoft-trained admin's, we have an _opportunity_ here to create mindshare and loyalty for migrations of huge workloads to our platform-of-choice and, arguably, the best platform for safer and more secure computing as opposed to having the majority of PC users in the world stay on one company's monoculture-vision of desktop computing. I'm attempting to spread the Gospel-of-GNU(Ubuntu) everywhere. We're on the same team, my friend. Obscure wiki articles and 13-year old "opinion"-marked bugs will _not_ be the first place new admins or users will find out about this issue! Heck, I've been a Linux user since 2004("Red Hat 8"(before Fedora was even a thing) box-set purchased at a CompUSA store), then Slackware and an Ubuntu convert since 2012 or so. I should know better than to leave multi-user seats unaudited for permissions after creation(or even during by not having edited the adduser.conf file). But even I just _assumed_ that a modern desktop would surely put security ahead of convenience! I didn't even know that this "security" issue was a "feature" till I started setting-up multi-user local seats and even then--I may have just started using ecryptfs as a workaround. Now--even that option is gone from user(admin)-facing installer widgets. Put yourself in the shoes of a new or migrating small to medium sized business CIO or IT-manager looking to convert from the soon-to-be out- of-service "Windows 7" in order to keep fleets of older boxes running for daily knowledge-worker or office-productivity users who share desktop PC's over the course of 24/7 shifts at the office. What would you think if every system that you had installed or understood to be the out-of-box defaults for the past few decades was based on blocking vs allowing? And you took the risk of allowing this "Linux- thing"(yes...this is what I have heard it called many times) only to discover the opposite, a permissive rule set, without any warning. Ubuntu is growing rapidly...I want to see it succeed despite it's geeks- only reputation. I think sensible defaults are good to always be working on(not just "opining" about in 13-year old bugs). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Opinion Status in Ubuntu RTM: New Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
> Wow! Approaching 13-years and counting on this bug. Neat. What's your point in making this statement? A decision was made soon after the bug has filed and that decision still stands today. What does the age of the decision have to do with it? > Why not just throw a simple toggle into the installer, to surface this issue, offering admins the option? There are negative UX consequences of every "why not just ask the user" in the installer. It's not reasonable to demand that the user receive an education on using the system before being allowed to install it, which is what used to feel like to install Debian around the time Ubuntu launched (I don't know what the Debian installer experience is now). Part of the point of Ubuntu was to do the sensible thing and not ask a million questions. I am not looking to make a statement either way on this particular decision. My point is merely that there *is* a UX downside to "throw a simple toggle into the installer" and you are in competition with a bunch of other Ubuntu users who want _their_ question asked by the installer because they don't like some other default. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Opinion Status in Ubuntu RTM: New Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
Wow! Approaching 13-years and counting on this bug. Neat. Desktop Linux: The principle of least astonishment (POLA) should _always_ be priority-one with Security. Open $HOME's are a surprise to me and everyone I know. Now that cloud storage has taken the desktop users of the world by storm, is the need to have open(r-x) $HOME dirs still needed? We've lost the 'Guest" user login since 18.04 and we've lost ecryptfs as an option in the installer. Why not just throw a simple toggle into the installer, to surface this issue, offering admins the option? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Opinion Status in Ubuntu RTM: New Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
In the server edition this should not be enabled. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Opinion Status in Ubuntu RTM: New Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
** Also affects: ubuntu-rtm Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in adduser package in Ubuntu: Opinion Status in Ubuntu RTM: New Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 48734] Re: Home permissions too open
This needs to be reconsidered. All user comments in this thread refuse the official explanation given in comment #1 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to adduser in Ubuntu. https://bugs.launchpad.net/bugs/48734 Title: Home permissions too open Status in “adduser” package in Ubuntu: Opinion Bug description: Binary package hint: debian-installer On a fresh dapper install i noticed that the file permissons for the home directory for the user created by the installer is set to 755, giving read access to everyone on the system. Surely this is a bad idea? If your set on the idea can we atleast have a option during the boot proccess? Also new files that are created via the console ('touch' etc.) are done so with '644' permissons, is there anything that can be done here? nautlius seems to create files at '600', which is a better setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adduser/+bug/48734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp