[Adduser-devel] Bug#398793: Default Homedir Permissions

Martin Owens doctormo at gmail.com
Thu Feb 17 16:55:16 UTC 2011 

On Thu, 2011-02-17 at 15:24 +0000, Roger Leigh wrote:
> Yes, but like everything there is a tradeoff.  A totally secure system
> is an unusable system.  Having to instruct every user how to relax the
> permissions to allow others to access their files, or allow their web
> pages to be visible, is effectively pointless make-work if that was
> what
> you wanted in the first place.  And for most people, I would argue
> that
> /is/ what is wanted.

You don't want to make it harder for users, but this is where design can
help. If we need to make a system which prevents cross user file
attacks, then we could fairly easily implement these things:

 * Shared Folder, directory which is available to all users where they
can put explicitly shared contents (MacOSX does this).
 * Make sure shared folders via smb/nfs are accessible, make it clear
that this would share files inside the system as much as on the network.
 * A program which allows temporary file access to another user's home
folder after the user have authorised the access.

> Remember that historically, multi-user systems have been about sharing
> and collaboration, not isolation in walled-off prisons.  I know which
> type of system I want, and it's not the latter.

Yes, but we don't make it clear that a user's home directory is a
free-for-all with all users. Folder indicators would be useful. But do
users know that they've signed up for this when they installed Ubuntu?

I think it's more likely that Ubuntu users think the data is protected
until the magic time when cross-user file access is demanded and then
it's unprotected for that one instance. Computers are magic after all.
Asking users would be key to answering that.

> 0755 is not inherently insecure.  Others can't make any changes, but
> they can look.  The only issue here is accidental disclosure of
> information intended to be private. 

If public by default is the way we want to go, then why not have a
Private folder be default in the users home directory? Combined with the
indication emblem in nautilus; this might provide a space for users to
put data. ATM it's too hard to teach users how to secure a folder or
even how to set up an encrypted folder.

Martin,

More information about the Adduser-devel mailing list