[Touch-packages] [Bug 1790377] Re: Ubuntu 18.04.1 and below: Information disclosure through world readable by default home directory permissions

Mon, 17 Sep 2018 02:56:37 -0700 

*** This bug is a duplicate of bug 48734 ***
    https://bugs.launchpad.net/bugs/48734

** This bug has been marked a duplicate of bug 48734
   Home permissions too open

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1790377

Title:
  Ubuntu 18.04.1 and below: Information disclosure through world
  readable by default home directory permissions

Status in shadow package in Ubuntu:
  New

Bug description:
  1)Ubuntu 18.04.1 
  2)package passwd 4.5-1ubuntu1 (shadow)
  3)Expected default home directory permissions of 0700 (no one should be able 
to read anyone else's files - probably required by European GDPR and others).

  4) Home directory permissions of the first created user (potential
  root via sudo) on fresh Ubuntu 18.04.1 installation are 0755 (world
  read and executable).

  useradd -m NEWUSER also creates home directories with 0755 permissions
  (rx by world).

  Creating a new User via GUI also creates home directories with 0755
  permissions (rx by world).

  GUI unfortunately creates Documents, Music, Videos, ... with world
  readable permissions too (another OS I have seen insecure home
  directory permissions too, but there at least the subfolders did not
  have world readable permissions).

  Thus every local user can read files created by other local users
  (security type "Loss of Privacy"). That there are other ways to read
  non-encrypted files is no excuse for such open permissions.

  If i.e. this was a web server and Apache is badly configured it could
  be used to remotely read confidential information without valid
  credentials too (increases risk and exploitability).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1790377/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to