Re: Default Homedir Permissions
On Thu, 17 Feb 2011 14:58:36 +, Roger Leigh rle...@codelibre.net wrote: Should it be locked down like Fort Knox? No. That'll lead to inexperienced users working as root since they're too stup^winexperienced to grok permissions. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1pqhrz-y8...@swivel.zugschlus.de
Re: Default Homedir Permissions
On Thu, 17 Feb 2011 15:06:59 +, Roger Leigh rle...@codelibre.net wrote: On Thu, Feb 17, 2011 at 01:44:26PM +, Ian Jackson wrote: Perhaps it might be reasonable to try to find a way for accounts like msql and www-data not to be able to access home directories (add daemon to their supplementary group list and set the permissions of /home 0705 to root.daemon, perhaps), but is this really worthwhile ? If it is, the right thing to do is to go away and think about exactly how to do it, not to file a bug asking for the default home directory permissions to be changed. This is easily accomplished using ACLs. Please, don't force this on a default install. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1pqhti-000132...@swivel.zugschlus.de
Re: Default Homedir Permissions
On Sat, Feb 19, 2011 at 9:10 AM, Marc Haber mh+debian-de...@zugschlus.de wrote: On Thu, Feb 17, 2011 at 01:44:26PM +, Ian Jackson wrote: Perhaps it might be reasonable to try to find a way for accounts like msql and www-data not to be able to access home directories (add daemon to their supplementary group list and set the permissions of /home 0705 to root.daemon, perhaps), but is this really worthwhile ? If it is, the right thing to do is to go away and think about exactly how to do it, not to file a bug asking for the default home directory permissions to be changed. This is easily accomplished using ACLs. Please, don't force this on a default install. Force what? ACLs being usable by default or ACLs being used? -- Olaf -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/AANLkTi=zjRhJ2t7E+gKytC9ts1gy=ypkqenklspp1...@mail.gmail.com
Re: Default Homedir Permissions
On Thu, Feb 17, 2011 at 11:55:16AM -0500, Martin Owens wrote: 0755 is not inherently insecure. Others can't make any changes, but they can look. The only issue here is accidental disclosure of information intended to be private. If public by default is the way we want to go, then why not have a Private folder be default in the users home directory? Combined with the indication emblem in nautilus; this might provide a space for users to put data. ATM it's too hard to teach users how to secure a folder or even how to set up an encrypted folder. I think this is an excellent idea, because the presence of a private folder in the user's home implicitly implies that the rest of the home is /not/ private, i.e. is self-documenting. We could even put a README file inside explaining what the purpose is, and how to change the permissions should they want to. We could even do the opposite (create a public folder) if the permissions are 0750, though this would require either 0751 or ACLs to be actually accessible. Again, we could include a README file instructing the user how to do this. The Nautilus emblems idea is, I think, a fairly straightforward exercise should we wish to do this. I already puts no entry emblems on folders you don't have permission to enter, so it's not a big change to additionally flag up folders which other have read and write access to. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `-GPG Public Key: 0x25BFB848 Please GPG sign your mail. signature.asc Description: Digital signature
Re: Default Homedir Permissions
On Sat, Feb 19, 2011 at 11:43 AM, Roger Leigh rle...@codelibre.net wrote: We could even do the opposite (create a public folder) if the permissions are 0750, though this would require either 0751 or ACLs to be actually accessible. Again, we could include a README file instructing the user how to do this. Or it could be a symlink to a public user dir outside of /home such that 751 isn't necessary. Olaf -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/AANLkTinzOaT5=LQTxxeQHkR=rhnbrkvtypewukxeh...@mail.gmail.com
Re: Default Homedir Permissions
On Sat, 19 Feb 2011 10:47:42 +0100, Olaf van der Spek olafvds...@gmail.com wrote: On Sat, Feb 19, 2011 at 9:10 AM, Marc Haber mh+debian-de...@zugschlus.de wrote: On Thu, Feb 17, 2011 at 01:44:26PM +, Ian Jackson wrote: Perhaps it might be reasonable to try to find a way for accounts like msql and www-data not to be able to access home directories (add daemon to their supplementary group list and set the permissions of /home 0705 to root.daemon, perhaps), but is this really worthwhile ? If it is, the right thing to do is to go away and think about exactly how to do it, not to file a bug asking for the default home directory permissions to be changed. This is easily accomplished using ACLs. Please, don't force this on a default install. Force what? ACLs being usable by default or ACLs being used? ACLs being used. Additionally, it should be possible to remove acl-related packages. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom | http://www.zugschlus.de/ Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fon: *49 621 72739834 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1pqnih-0006zj...@swivel.zugschlus.de
Re: Default Homedir Permissions
On Jueves 17 Febrero 2011 22:18:25 Ron Johnson escribió: On 02/17/2011 08:58 AM, Roger Leigh wrote: [snip] Should it be locked down like Fort Knox? There's a heck of a lot of middle ground between Fort Knox and Hippy Commune. We are not a hippy comune, just two married people, but I like to hear music from my wife's home, and she uses to see documents that are on my home, so the actual default fits quite well for 90% of computers out there: home computers. Think too on fathers accessing their minor child homes, offices in which documents are property of the bussiness and not of any worker, etc. Just my (non DD) two cents Noel er Envite -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201102181326.18332.env...@rolamasao.org
Re: Default Homedir Permissions
On Fri, Feb 18, 2011 at 2:26 PM, Noel David Torres Taño env...@rolamasao.org wrote: On Jueves 17 Febrero 2011 22:18:25 Ron Johnson escribió: On 02/17/2011 08:58 AM, Roger Leigh wrote: [snip] Should it be locked down like Fort Knox? There's a heck of a lot of middle ground between Fort Knox and Hippy Commune. We are not a hippy comune, just two married people, but I like to hear music from my wife's home, and she uses to see documents that are on my home, so the actual default fits quite well for 90% of computers out there: home computers. IIRC many weren't that happy with Windows 9x not supporting access control. I guess times have changed. Think too on fathers accessing their minor child homes, offices in which documents are property of the bussiness and not of any worker, etc. What about a minor child downloading a trojan (for whatever reason) which accesses the fathers home? A bug in a web scripts leading to www-data being compromised, and thus having read access to /home? -- Olaf -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/AANLkTimFfQ=1rk5_dfsbwe4addrf+guzucgg3dius...@mail.gmail.com
Re: Default Homedir Permissions
On 02/18/2011 07:26 AM, Noel David Torres Taño wrote: On Jueves 17 Febrero 2011 22:18:25 Ron Johnson escribió: On 02/17/2011 08:58 AM, Roger Leigh wrote: [snip] Should it be locked down like Fort Knox? There's a heck of a lot of middle ground between Fort Knox and Hippy Commune. We are not a hippy comune, just two married people, but I like to hear music from my wife's home, and she uses to see documents that are on my home, so the actual default fits quite well for 90% of computers out there: home computers. One solution is be ~/Shared/Music ~/Shared/Documents. Another solution is groups. (If you want to use a computer, you should learn how to use it...) A third solution is moving all the shared stuff out of $HOME and into a separate partition symlinked back to $HOME. $ dir Music lrwxrwxrwx 1 me me 21 2009-03-20 16:30:56 Music - /data/big/share/music/ $ dir /data/big/share/music/ total 44856 drwxr-xr-x 16 me all_ages 4096 2009-03-20 16:31:12 ./ drwxrwxr-x 6 me all_ages 54 2011-01-10 16:03:46 ../ -rwxr-xr-x 1 me all_ages 13624815 2006-07-14 15:35:06 060714PodcastBigelowAstronaut.mp3* -rwxr-xr-x 1 me all_ages 2133908 2006-06-06 23:40:53 4400_theme_A_Place_In_Time.mp3* drwxr-xr-x 173 me all_ages 8192 2010-12-06 20:43:09 artists/ -rwxr-xr-x 1 me all_ages 1397888 2006-06-29 10:19:48 billy_west.mp3* drwxr-xr-x 2 me all_ages 4096 2007-09-04 19:55:41 cadences/ drwxr-xr-x 2 me all_ages6 2003-12-27 11:48:50 Childrens/ drwxr-xr-x 14 me all_ages 4096 2010-12-06 21:15:09 Classical/ drwxr-xr-x 2 me all_ages 4096 2007-12-07 10:24:50 Country/ lrwxrwxrwx 1 me all_ages 14 2011-01-10 12:58:54 Disney - artists/Disney/ -rwxr-xr-x 1 me all_ages 644906 2004-01-24 15:48:55 drwho2.mp3* -rwxr-xr-x 1 me all_ages 1216775 2004-01-24 15:49:38 drwho3.mp3* -rwxr-xr-x 1 me all_ages 368856 2004-01-24 15:48:27 drwho.mp3* drwxr-xr-x 2 me all_ages 4096 2009-12-08 18:08:25 Folk/ drwxr-xr-x 5 me all_ages 4096 2007-12-08 13:50:47 Holiday/ drwxr-xr-x 2 me all_ages 88 2007-12-06 19:38:22 Jazz/ drwxr-xr-x 2 me all_ages 125 2010-04-04 09:45:56 Lite_Rock/ drwxr-xr-x 2 me all_ages 73 2010-10-16 17:20:22 RB/ drwxr-xr-x 2 me all_ages 4096 2010-10-16 18:57:47 Rock/ drwxr-xr-x 2 me all_ages 4096 2010-12-06 21:14:35 Soundtracks/ drwxr-xr-x 2 me all_ages6 2007-05-31 09:51:03 streams/ -rwxr-xr-x 1 me all_ages 23748420 2006-04-11 11:35:17 SXSW06.INT.20060311.DanielGilbert.mp3* drwxr-xr-x 13 me all_ages 4096 2007-12-08 13:50:34 various/ -rwxr-xr-x 1 me all_ages 2610675 2006-08-20 22:21:56 Yugo.mp3* Think too on fathers accessing their minor child homes, The root password gets me just about anywhere I want to go. offices in which documents are property of the bussiness and not of any worker, etc. Since the documents are the property of the business, not the workers, they should be in shared folders anyway. -- The normal condition of mankind is tyranny and misery. Milton Friedman -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d5ebe09.5000...@cox.net
Re: Default Homedir Permissions
On Viernes 18 Febrero 2011 18:44:25 Ron Johnson escribió: On 02/18/2011 07:26 AM, Noel David Torres Taño wrote: On Jueves 17 Febrero 2011 22:18:25 Ron Johnson escribió: On 02/17/2011 08:58 AM, Roger Leigh wrote: [snip] Should it be locked down like Fort Knox? There's a heck of a lot of middle ground between Fort Knox and Hippy Commune. We are not a hippy comune, just two married people, but I like to hear music from my wife's home, and she uses to see documents that are on my home, so the actual default fits quite well for 90% of computers out there: home computers. One solution is be ~/Shared/Music ~/Shared/Documents. That's more complicated than the actual simpler solution Another solution is groups. (If you want to use a computer, you should learn how to use it...) That's more complicated too... I use that only when write access is needed A third solution is moving all the shared stuff out of $HOME and into a separate partition symlinked back to $HOME. That needs to be thought on on installation, and moreover complicates security copies. [...] Think too on fathers accessing their minor child homes, The root password gets me just about anywhere I want to go. root access is just for more serious things, like system administration, and it is recommended not to run graphical apps as root, so it is not the solution, just your broken workaround over an actually non existant problem offices in which documents are property of the bussiness and not of any worker, etc. Since the documents are the property of the business, not the workers, they should be in shared folders anyway. Why? The default on creating a document is to save it on user's home, just let it not to be private. There a re a lot of people happy with the actual default, so the best solution is to keep it as is, and allow those admins who need it to change the behaviour on their systems only Noel er Envite -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201102182240.12738.env...@rolamasao.org
Re: Default Homedir Permissions
* Olaf van der Spek olafvds...@gmail.com [2011-02-17 13:51]: Default homedir permissions are 755. World-readable (and listable). Common (security) sense says that permissions that are not required should not be granted. For example, accounts mysql and www-data should not have access to my documents. Some time ago I filed a bug related to this: 398793 The maintainer didn't agree and asked me to bring this up on this list. What do you think? The (only) disadvantage is that ~/public_html requires you too grant permission manually. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=398793 IIRC you are asked during installation if you want world readable home directories or not. Kind regards, Martin -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110217125231.gt12...@anguilla.debian.or.at
Re: Default Homedir Permissions
On Thu, Feb 17, 2011 at 1:52 PM, Martin Wuertele m...@debian.org wrote: IIRC you are asked during installation if you want world readable home directories or not. No you're not. Unless (I assume) you do an expert install. Even then, non-world-readble means 751, not 750. The default should still change. -- Olaf -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/AANLkTi=66vthmh2--ape7jqq4nwv_jdf1rhl17amk...@mail.gmail.com
Re: Default Homedir Permissions
* Olaf van der Spek olafvds...@gmail.com [2011-02-17 13:56]: On Thu, Feb 17, 2011 at 1:52 PM, Martin Wuertele m...@debian.org wrote: IIRC you are asked during installation if you want world readable home directories or not. No you're not. Unless (I assume) you do an expert install. Even then, non-world-readble means 751, not 750. The default should still change. You are right about the expert install (I can't remember when I last did a non-expert install). 751 togeather with a default umask of 027 would work, however several programs don't work flawless with non 022 or 002 umaks (eg #531885). Kind regards, Martin p.s. no need to CC me as I'm subscribed -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110217132710.gu12...@anguilla.debian.or.at
Re: Default Homedir Permissions
Olaf van der Spek writes (Default Homedir Permissions): Default homedir permissions are 755. World-readable (and listable). Common (security) sense says that permissions that are not required should not be granted. For example, accounts mysql and www-data should not have access to my documents. I disagree with this conclusion, because I disagree with the underlying implication that the general readability of files is not needed. Most installed systems have a smallish number of users who know each other reasonably well and would like to be able to share files. It does not make sense to put strong privacy barriers in between those users. Sensitive data like email and browser histories are already made non-world-readable. So the default is correct. Perhaps it might be reasonable to try to find a way for accounts like msql and www-data not to be able to access home directories (add daemon to their supplementary group list and set the permissions of /home 0705 to root.daemon, perhaps), but is this really worthwhile ? If it is, the right thing to do is to go away and think about exactly how to do it, not to file a bug asking for the default home directory permissions to be changed. Ian. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/19805.9786.37599.609...@chiark.greenend.org.uk
Re: Default Homedir Permissions
On Thu, Feb 17, 2011 at 2:44 PM, Ian Jackson ijack...@chiark.greenend.org.uk wrote: Olaf van der Spek writes (Default Homedir Permissions): Default homedir permissions are 755. World-readable (and listable). Common (security) sense says that permissions that are not required should not be granted. For example, accounts mysql and www-data should not have access to my documents. I disagree with this conclusion, because I disagree with the underlying implication that the general readability of files is not needed. Most installed systems have a smallish number of users who know each other reasonably well and would like to be able to share files. It What are those assumptions based on? And how do you go from want to share some files to default to share all files? does not make sense to put strong privacy barriers in between those users. Sensitive data like email and browser histories are already made non-world-readable. chmod 755 ~ is not a hard way to remove the barrier. So the default is correct. Perhaps it might be reasonable to try to find a way for accounts like msql and www-data not to be able to access home directories (add daemon to their supplementary group list and set the permissions of /home 0705 to root.daemon, perhaps), but is this really worthwhile ? That would be another violation of general security principles (access control based on exlcusion instead of inclusion); If it is, the right thing to do is to go away and think about exactly how to do it, not to file a bug asking for the default home directory permissions to be changed. The bug wasn't about that, although it was related. -- Olaf -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/AANLkTim3=P6Ed-=z+vnpagvfhm-fh+4gn32pbso3m...@mail.gmail.com
Re: Default Homedir Permissions
Olaf van der Spek writes (Re: Default Homedir Permissions): chmod 755 ~ is not a hard way to remove the barrier. We are arguing about defaults, so this is not a relevant answer. What are those assumptions based on? I could ask you the same question. We are arguing in a vacuum. I don't think we should make a change, but people who want defaults changed always make more noise than people who are happy with the way they are. I just wanted to make it clear that this change would not be universally welcomed. I don't think there is anything else useful to be said in this subthread. Ian. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/19805.13004.7522.663...@chiark.greenend.org.uk
Re: Default Homedir Permissions
On Thu, Feb 17, 2011 at 03:31:18PM +0100, Olaf van der Spek wrote: On Thu, Feb 17, 2011 at 2:44 PM, Ian Jackson ijack...@chiark.greenend.org.uk wrote: Olaf van der Spek writes (Default Homedir Permissions): Default homedir permissions are 755. World-readable (and listable). Common (security) sense says that permissions that are not required should not be granted. For example, accounts mysql and www-data should not have access to my documents. I disagree with this conclusion, because I disagree with the underlying implication that the general readability of files is not needed. Most installed systems have a smallish number of users who know each other reasonably well and would like to be able to share files. It … So the default is correct. Perhaps it might be reasonable to try to find a way for accounts like msql and www-data not to be able to access home directories (add daemon to their supplementary group list and set the permissions of /home 0705 to root.daemon, perhaps), but is this really worthwhile ? That would be another violation of general security principles (access control based on exlcusion instead of inclusion); There are obviously differences of opinion in our expectations of how secure a default installation should be. Should it be locked down like Fort Knox? Should it be generally usable, and easy for users to see each other's stuff? In general, I think it's fair to say that the average Debian installation does not require Fort Knox levels of security. Simply allowing other people to read our files is often something desirable; if I have something especially secret, I'll take steps to make sure it's not readable or writeable by anyone except me. But in general, it's not a bad thing that others can see my stuff. I can always keep private things in a 0700 subdirectory. Even on the massively shared systems I use, it's common for home directories to be readable by default, so you can let other people access your data, scripts, git repos, or whatever. I can see that in some circumstances you might well want total control over who can see your files, but unless you're dealing with TOP SECRET stuff, I am not convinced that this is something the typical user would wish to have by default. Are there any common use cases which require this? Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `-GPG Public Key: 0x25BFB848 Please GPG sign your mail. signature.asc Description: Digital signature
Re: Default Homedir Permissions
On Thu, Feb 17, 2011 at 3:38 PM, Ian Jackson ijack...@chiark.greenend.org.uk wrote: Olaf van der Spek writes (Re: Default Homedir Permissions): chmod 755 ~ is not a hard way to remove the barrier. We are arguing about defaults, so this is not a relevant answer. In both cases it's easy to change permissions, but: If you start with safe permissions but want to share everything, you get an error message. Easy to fix. If you start with unsafe permissions but wanted to share nothing, you don't get an error messages and your data leaks. Impossible to fix. What are those assumptions based on? I could ask you the same question. We are arguing in a vacuum. Feel free to ask. -- Olaf -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktins21pvtzze5vkczxomabitubunx90bsye-m...@mail.gmail.com
Re: Default Homedir Permissions
On Thu, Feb 17, 2011 at 01:44:26PM +, Ian Jackson wrote: Perhaps it might be reasonable to try to find a way for accounts like msql and www-data not to be able to access home directories (add daemon to their supplementary group list and set the permissions of /home 0705 to root.daemon, perhaps), but is this really worthwhile ? If it is, the right thing to do is to go away and think about exactly how to do it, not to file a bug asking for the default home directory permissions to be changed. This is easily accomplished using ACLs. Example to only allow apache access to public_html, and nothing else: % setfacl -m g:www-data:x ~ % setfacl -m g:www-data:rx ~/public_html % getfacl ~ ~/public_html getfacl: Removing leading '/' from absolute path names # file: home/rleigh # owner: rleigh # group: rleigh user::rwx group::r-x group:www-data:--x mask::r-x other::r-x # file: home/rleigh/public_html # owner: rleigh # group: rleigh user::rwx group::r-x group:www-data:r-x mask::r-x other::r-x Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `-GPG Public Key: 0x25BFB848 Please GPG sign your mail. signature.asc Description: Digital signature
Re: Default Homedir Permissions
On Thu, Feb 17, 2011 at 3:58 PM, Roger Leigh rle...@codelibre.net wrote: In general, I think it's fair to say that the average Debian installation does not require Fort Knox levels of security. Simply allowing other people to read our files is often something desirable; Does other refer to other users, all other accounts or the entire world? if I have something especially secret, I'll take steps to make sure it's not readable or writeable by anyone except me. But in general, it's not a bad thing that others can see my stuff. I can always keep private things in a 0700 subdirectory. You can, but you can easily forget that. Note that defaulting to private does not prevent you from changing the permissions. I can see that in some circumstances you might well want total control over who can see your files, but unless you're dealing with TOP SECRET stuff, I am not convinced that this is something the typical user would wish to have by default. Are there any common use cases which require this? Like backups, the need for security is often discovered after it was necessary. -- Olaf -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/AANLkTim_txyuh+zvXyOXHzWTPf8QypYZHj=s+b4ko...@mail.gmail.com
Re: Default Homedir Permissions
On Thu, Feb 17, 2011 at 04:07:12PM +0100, Olaf van der Spek wrote: On Thu, Feb 17, 2011 at 3:58 PM, Roger Leigh rle...@codelibre.net wrote: In general, I think it's fair to say that the average Debian installation does not require Fort Knox levels of security. Simply allowing other people to read our files is often something desirable; Does other refer to other users, all other accounts or the entire world? It refers to S_IRWXO, which is what this bug is about. What that means in practice is up to you. if I have something especially secret, I'll take steps to make sure it's not readable or writeable by anyone except me. But in general, it's not a bad thing that others can see my stuff. I can always keep private things in a 0700 subdirectory. You can, but you can easily forget that. Note that defaulting to private does not prevent you from changing the permissions. … Like backups, the need for security is often discovered after it was necessary. Yes, but like everything there is a tradeoff. A totally secure system is an unusable system. Having to instruct every user how to relax the permissions to allow others to access their files, or allow their web pages to be visible, is effectively pointless make-work if that was what you wanted in the first place. And for most people, I would argue that /is/ what is wanted. Remember that historically, multi-user systems have been about sharing and collaboration, not isolation in walled-off prisons. I know which type of system I want, and it's not the latter. 0755 is not inherently insecure. Others can't make any changes, but they can look. The only issue here is accidental disclosure of information intended to be private. I would argue that a change that /would/ make a real difference, would be to have (as an example) emblems in Nautilus that flag files and folders depending on if other people have read or write access. That would visually show what is (and is not) secure either by intention or by accident. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `-GPG Public Key: 0x25BFB848 Please GPG sign your mail. signature.asc Description: Digital signature
Re: Default Homedir Permissions
[Someone] writes (Re: Default Homedir Permissions): [stuff] We are in danger of wasting a lot of time with this discussion. The general pattern is that someone who is unhappy with the state of the world proposes a substantial change. The worry amongst the rest of us is that the change might go ahead if we don't oppose it. So those of us who oppose feel impelled to respond to every message; whereas the proponent of change is dedicated. There is no natural conclusion to this argument. So I would like the maintainers of the adduser package (which seems to be where the default is mainlys et) to post here to reassure us that they don't intend to make this change, and that if the maintainers are thinking of changing their mind they will consult debian-devel. Ian. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/19805.15206.29837.470...@chiark.greenend.org.uk
Re: Default Homedir Permissions
On Thu, Feb 17, 2011 at 4:24 PM, Roger Leigh rle...@codelibre.net wrote: On Thu, Feb 17, 2011 at 04:07:12PM +0100, Olaf van der Spek wrote: On Thu, Feb 17, 2011 at 3:58 PM, Roger Leigh rle...@codelibre.net wrote: In general, I think it's fair to say that the average Debian installation does not require Fort Knox levels of security. Simply allowing other people to read our files is often something desirable; Does other refer to other users, all other accounts or the entire world? It refers to S_IRWXO, which is what this bug is about. What that means in practice is up to you. Other (people) in Simply allowing other people to read our files is often something desirable does not refer to S_IRWXO. Like backups, the need for security is often discovered after it was necessary. Yes, but like everything there is a tradeoff. A totally secure system is an unusable system. Having to instruct every user how to relax the permissions to allow others to access their files, or allow their web pages to be visible, is effectively pointless make-work if that was what you wanted in the first place. You're right, in that case it makes more sense to edit /etc/adduser.conf Or to setup public dirs that people could use to share stuff without defaulting to share their entire home dir. And for most people, I would argue that /is/ what is wanted. Is it? A lot of people have desktops / laptops that aren't shared with other people and that don't use the per-user public_html. Remember that historically, multi-user systems have been about sharing and collaboration, not isolation in walled-off prisons. I know which type of system I want, and it's not the latter. Historically security was not an issue. 0755 is not inherently insecure. Others can't make any changes, but they can look. The only issue here is accidental disclosure of information intended to be private. Right -- Olaf -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/AANLkTi=4R87hRmXQc4Y7zL9b5KJ0yJqtTYXeX80MQN=p...@mail.gmail.com
Re: Default Homedir Permissions
On Feb 17, Ian Jackson ijack...@chiark.greenend.org.uk wrote: I disagree with this conclusion, because I disagree with the underlying implication that the general readability of files is not needed. Agreed. Perhaps it might be reasonable to try to find a way for accounts like msql and www-data not to be able to access home directories (add daemon to their supplementary group list and set the permissions of /home 0705 to root.daemon, perhaps), but is this really worthwhile ? We have ACLs, but I believe that the local requirements vary enough that it is not worth the effort. -- ciao, Marco signature.asc Description: Digital signature
Re: Default Homedir Permissions
On Thu, Feb 17, 2011 at 07:14, Ian Jackson ijack...@chiark.greenend.org.uk wrote: [Someone] writes (Re: Default Homedir Permissions): [stuff] We are in danger of wasting a lot of time with this discussion. The general pattern is that someone who is unhappy with the state of the world proposes a substantial change. The worry amongst the rest of us is that the change might go ahead if we don't oppose it. More simply, the option could be put in the default install instead of only the expert install. Make the default choice the current behavior, but let local administrators choose what is best for their system. -- -Austin -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktimhuo+zpb7opyrkdptd4nmqspdaqba8kq75+...@mail.gmail.com
Re: Default Homedir Permissions
Austin English writes (Re: Default Homedir Permissions): On Thu, Feb 17, 2011 at 07:14, Ian Jackson ijack...@chiark.greenend.org.uk wrote: [Someone] writes (Re: Default Homedir Permissions): [stuff] We are in danger of wasting a lot of time with this discussion. The general pattern is that someone who is unhappy with the state of the world proposes a substantial change. The worry amongst the rest of us is that the change might go ahead if we don't oppose it. More simply, the option could be put in the default install instead of only the expert install. Make the default choice the current behavior, but let local administrators choose what is best for their system. Your reply doesn't seem to be a way of avoiding wasting time, I'm afraid, but rather a way of perpetuating the discussion. But at the risk of doing the same myself: increasing the priority of installation questions is not without costs. I think that the current default suits a big enough proportion of our users that it should be kept at the current priority. Ian. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/19805.20948.449432.456...@chiark.greenend.org.uk
Re: Default Homedir Permissions
On Thu, 2011-02-17 at 15:24 +, Roger Leigh wrote: Yes, but like everything there is a tradeoff. A totally secure system is an unusable system. Having to instruct every user how to relax the permissions to allow others to access their files, or allow their web pages to be visible, is effectively pointless make-work if that was what you wanted in the first place. And for most people, I would argue that /is/ what is wanted. You don't want to make it harder for users, but this is where design can help. If we need to make a system which prevents cross user file attacks, then we could fairly easily implement these things: * Shared Folder, directory which is available to all users where they can put explicitly shared contents (MacOSX does this). * Make sure shared folders via smb/nfs are accessible, make it clear that this would share files inside the system as much as on the network. * A program which allows temporary file access to another user's home folder after the user have authorised the access. Remember that historically, multi-user systems have been about sharing and collaboration, not isolation in walled-off prisons. I know which type of system I want, and it's not the latter. Yes, but we don't make it clear that a user's home directory is a free-for-all with all users. Folder indicators would be useful. But do users know that they've signed up for this when they installed Ubuntu? I think it's more likely that Ubuntu users think the data is protected until the magic time when cross-user file access is demanded and then it's unprotected for that one instance. Computers are magic after all. Asking users would be key to answering that. 0755 is not inherently insecure. Others can't make any changes, but they can look. The only issue here is accidental disclosure of information intended to be private. If public by default is the way we want to go, then why not have a Private folder be default in the users home directory? Combined with the indication emblem in nautilus; this might provide a space for users to put data. ATM it's too hard to teach users how to secure a folder or even how to set up an encrypted folder. Martin, -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1297961716.28341.10.camel@delen
Re: Default Homedir Permissions
On 02/17/2011 10:55 AM, Martin Owens wrote: On Thu, 2011-02-17 at 15:24 +, Roger Leigh wrote: Yes, but like everything there is a tradeoff. A totally secure system is an unusable system. Having to instruct every user how to relax the permissions to allow others to access their files, or allow their web pages to be visible, is effectively pointless make-work if that was what you wanted in the first place. And for most people, I would argue that /is/ what is wanted. You don't want to make it harder for users, but this is where design can help. If we need to make a system which prevents cross user file attacks, then we could fairly easily implement these things: * Shared Folder, directory which is available to all users where they can put explicitly shared contents (MacOSX does this). Speaking as a (non-Unix) (non-DD and so no authority here) Administrator who is constantly pestered by auditors CISO reviews, I agree with Olaf, and think that Shared Folder is a good way to make this explicit. -- The normal condition of mankind is tyranny and misery. Milton Friedman -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d5d9ded.2080...@cox.net
Re: Default Homedir Permissions
On 02/17/2011 08:58 AM, Roger Leigh wrote: [snip] Should it be locked down like Fort Knox? There's a heck of a lot of middle ground between Fort Knox and Hippy Commune. Should it be generally usable, and easy for users to see each other's stuff? Only with the owner's permission. Privacy, remember? It's why we encrypt Wi-Fi and https exists. -- The normal condition of mankind is tyranny and misery. Milton Friedman -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d5d9eb1.80...@cox.net
Re: Default Homedir Permissions
On 02/17/2011 09:24 AM, Roger Leigh wrote: [snip] Yes, but like everything there is a tradeoff. A totally secure system is an unusable system. Why the black and white? What happened to grey? Having to instruct every user how to relax the permissions to allow others to access their files, or allow their web pages to be visible, is effectively pointless make-work if that was what you wanted in the first place. And for most people, I would argue that /is/ what is wanted. Most people want easy. It's why Windows is malware central. Remember that historically, multi-user systems have been about sharing and collaboration, not isolation in walled-off prisons. I know which type of system I want, and it's not the latter. I thought it was about sharing expensive resources. (But then, I come from a DP background.) -- The normal condition of mankind is tyranny and misery. Milton Friedman -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d5da07d.9020...@cox.net
Re: Default Homedir Permissions
Martin Owens wrote: If public by default is the way we want to go, then why not have a Private folder be default in the users home directory? Combined with the indication emblem in nautilus; this might provide a space for users to put data. ATM it's too hard to teach users how to secure a folder or even how to set up an encrypted folder. IIRC, Ubuntu has done some work toward providing such an encrypted private subdirectory by default. Someone should look into pulling that into a package in Debian. -- see shy jo signature.asc Description: Digital signature