*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Alex Murray (alexmurray):
1)Ubuntu 18.04.1
2)package passwd 4.5-1ubuntu1 (shadow)
3)Expected default home directory permissions of 0700 (no one should be able to
read anyone else's files - probably required by European GDPR and others).
4) Home directory permissions of the first created user (potential root
via sudo) on fresh Ubuntu 18.04.1 installation are 0755 (world read and
executable).
useradd -m NEWUSER also creates home directories with 0755 permissions
(rx by world).
Creating a new User via GUI also creates home directories with 0755
permissions (rx by world).
GUI unfortunately creates Documents, Music, Videos, ... with world
readable permissions too (another OS I have seen insecure home directory
permissions too, but there at least the subfolders did not have world
readable permissions).
Thus every local user can read files created by other local users
(security type "Loss of Privacy"). That there are other ways to read
non-encrypted files is no excuse for such open permissions.
If i.e. this was a web server and Apache is badly configured it could be
used to remotely read confidential information without valid credentials
too (increases risk and exploitability).
** Affects: shadow (Ubuntu)
Importance: Undecided
Status: New
--
Ubuntu 18.04.1 and below: Information disclosure through world readable by
default home directory permissions
https://bugs.launchpad.net/bugs/1790377
You received this bug notification because you are a member of Ubuntu Bugs,
which is subscribed to the bug report.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
