Adduser devel - Feb 2011 - Bug#398793: Default Homedir Permissions

Olaf van der Spek writes ("Default Homedir
Permissions"):
> Default homedir permissions are 755. World-readable (and listable).
> Common (security) sense says that permissions that are not required
> should not be granted. For example, accounts mysql and www-data should
> not have access to my documents.
I disagree with this conclusion, because I disagree with the
underlying implication that the general readability of files is not
needed.

Most installed systems have a smallish number of users who know each
other reasonably well and would like to be able to share files.  It
does not make sense to put strong privacy barriers in between those
users.  Sensitive data like email and browser histories are already
made non-world-readable.

So the default is correct.

Perhaps it might be reasonable to try to find a way for accounts like
msql and www-data not to be able to access home directories (add
"daemon" to their supplementary group list and set the permissions of
/home 0705 to root.daemon, perhaps), but is this really worthwhile ?
If it is, the right thing to do is to go away and think about exactly
how to do it, not to file a bug asking for the default home directory
permissions to be changed.

Ian.

On Thu, Feb 17, 2011 at 2:44 PM, Ian Jackson
<ijackson at chiark.greenend.org.uk> wrote:
> Olaf van der Spek writes ("Default Homedir Permissions"):
>> Default homedir permissions are 755. World-readable (and listable).
>> Common (security) sense says that permissions that are not required
>> should not be granted. For example, accounts mysql and www-data should
>> not have access to my documents.
>
> I disagree with this conclusion, because I disagree with the
> underlying implication that the general readability of files is not
> needed.
> Most installed systems have a smallish number of users who know each
> other reasonably well and would like to be able to share files. ?It
What are those assumptions based on?
And how do you go from "want to share some files" to "default to
share
all files"?
> does not make sense to put strong privacy barriers in between those
> users. ?Sensitive data like email and browser histories are already
> made non-world-readable.
chmod 755 ~ is not a hard way to remove the barrier.
> So the default is correct.
>
> Perhaps it might be reasonable to try to find a way for accounts like
> msql and www-data not to be able to access home directories (add
> "daemon" to their supplementary group list and set the
permissions of
> /home 0705 to root.daemon, perhaps), but is this really worthwhile ?
That would be another violation of general security principles (access
control based on exlcusion instead of inclusion);
> If it is, the right thing to do is to go away and think about exactly
> how to do it, not to file a bug asking for the default home directory
> permissions to be changed.
The bug wasn''t about that, although it was related.


-- 
Olaf

On Thu, Feb 17, 2011 at 03:31:18PM +0100, Olaf van der Spek
wrote:
> On Thu, Feb 17, 2011 at 2:44 PM, Ian Jackson
> <ijackson at chiark.greenend.org.uk> wrote:
> > Olaf van der Spek writes ("Default Homedir Permissions"):
> >> Default homedir permissions are 755. World-readable (and
listable).
> >> Common (security) sense says that permissions that are not
required
> >> should not be granted. For example, accounts mysql and www-data
should
> >> not have access to my documents.
> >
> > I disagree with this conclusion, because I disagree with the
> > underlying implication that the general readability of files is not
> > needed.
> 
> > Most installed systems have a smallish number of users who know each
> > other reasonably well and would like to be able to share files. ?It
?
> > So the default is correct.
> >
> > Perhaps it might be reasonable to try to find a way for accounts like
> > msql and www-data not to be able to access home directories (add
> > "daemon" to their supplementary group list and set the
permissions of
> > /home 0705 to root.daemon, perhaps), but is this really worthwhile ?
> 
> That would be another violation of general security principles (access
> control based on exlcusion instead of inclusion);
There are obviously differences of opinion in our expectations of
"how secure" a default installation should be.

Should it be locked down like Fort Knox?

Should it be generally usable, and easy for users to see each other''s
stuff?

In general, I think it''s fair to say that the average Debian
installation does not require Fort Knox levels of security.  Simply
allowing other people to read our files is often something desirable;
if I have something especially secret, I''ll take steps to make sure
it''s not readable or writeable by anyone except me.  But in general,
it''s not a bad thing that others can see my stuff.  I can always keep
private things in a 0700 subdirectory.

Even on the massively shared systems I use, it''s common for home
directories to be readable by default, so you can let other people
access your data, scripts, git repos, or whatever.

I can see that in some circumstances you might well want total control
over who can see your files, but unless you''re dealing with TOP SECRET
stuff, I am not convinced that this is something the typical user would
wish to have by default.  Are there any common use cases which require
this?


Regards,
Roger

-- 
  .''''`.  Roger Leigh
 : :'' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `''   Printing on GNU/Linux?      
http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20110217/ba51fd40/attachment.pgp>

On Thu, Feb 17, 2011 at 01:44:26PM +0000, Ian Jackson
wrote:
> Perhaps it might be reasonable to try to find a way for accounts like
> msql and www-data not to be able to access home directories (add
> "daemon" to their supplementary group list and set the
permissions of
> /home 0705 to root.daemon, perhaps), but is this really worthwhile ?
> If it is, the right thing to do is to go away and think about exactly
> how to do it, not to file a bug asking for the default home directory
> permissions to be changed.
This is easily accomplished using ACLs.  Example to only allow apache
access to public_html, and nothing else:

% setfacl -m g:www-data:x ~
% setfacl -m g:www-data:rx ~/public_html
% getfacl ~ ~/public_html
getfacl: Removing leading ''/'' from absolute path names
# file: home/rleigh
# owner: rleigh
# group: rleigh
user::rwx
group::r-x
group:www-data:--x
mask::r-x
other::r-x

# file: home/rleigh/public_html
# owner: rleigh
# group: rleigh
user::rwx
group::r-x
group:www-data:r-x
mask::r-x
other::r-x


Regards,
Roger

-- 
  .''''`.  Roger Leigh
 : :'' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `''   Printing on GNU/Linux?      
http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20110217/de6f6240/attachment.pgp>

On Thu, Feb 17, 2011 at 3:58 PM, Roger Leigh <rleigh at codelibre.net>
wrote:
> In general, I think it''s fair to say that the average Debian
> installation does not require Fort Knox levels of security. ?Simply
> allowing other people to read our files is often something desirable;
Does other refer to other users, all other accounts or the entire world?
> if I have something especially secret, I''ll take steps to make
sure
> it''s not readable or writeable by anyone except me. ?But in
general,
> it''s not a bad thing that others can see my stuff. ?I can always
keep
> private things in a 0700 subdirectory.
You can, but you can easily forget that.
Note that defaulting to private does not prevent you from changing the
permissions.
> I can see that in some circumstances you might well want total control
> over who can see your files, but unless you''re dealing with TOP
SECRET
> stuff, I am not convinced that this is something the typical user would
> wish to have by default. ?Are there any common use cases which require
> this?
Like backups, the need for security is often discovered after it was necessary.

-- 
Olaf

[Someone] writes ("Re: Default Homedir
Permissions"):
> [stuff]
We are in danger of wasting a lot of time with this discussion.

The general pattern is that someone who is unhappy with the state of
the world proposes a substantial change.  The worry amongst the rest
of us is that the change might go ahead if we don''t oppose it.

So those of us who oppose feel impelled to respond to every message;
whereas the proponent of change is dedicated.  There is no natural
conclusion to this argument.

So I would like the maintainers of the adduser package (which seems to
be where the default is mainlys et) to post here to reassure us that
they don''t intend to make this change, and that if the maintainers are
thinking of changing their mind they will consult debian-devel.

Ian.

On Thu, Feb 17, 2011 at 04:07:12PM +0100, Olaf van der Spek
wrote:
> On Thu, Feb 17, 2011 at 3:58 PM, Roger Leigh <rleigh at
codelibre.net> wrote:
> > In general, I think it''s fair to say that the average Debian
> > installation does not require Fort Knox levels of security. ?Simply
> > allowing other people to read our files is often something desirable;
> 
> Does other refer to other users, all other accounts or the entire world?
It refers to S_IRWXO, which is what this bug is about.  What that
means in practice is up to you.
> > if I have something especially secret, I''ll take steps to
make sure
> > it''s not readable or writeable by anyone except me. ?But in
general,
> > it''s not a bad thing that others can see my stuff. ?I can
always keep
> > private things in a 0700 subdirectory.
> 
> You can, but you can easily forget that.
> Note that defaulting to private does not prevent you from changing the
> permissions.
?
> Like backups, the need for security is often discovered after it was
necessary.
Yes, but like everything there is a tradeoff.  A totally secure system
is an unusable system.  Having to instruct every user how to relax the
permissions to allow others to access their files, or allow their web
pages to be visible, is effectively pointless make-work if that was what
you wanted in the first place.  And for most people, I would argue that
/is/ what is wanted.

Remember that historically, multi-user systems have been about sharing
and collaboration, not isolation in walled-off prisons.  I know which
type of system I want, and it''s not the latter.

0755 is not inherently insecure.  Others can''t make any changes, but
they can look.  The only issue here is accidental disclosure of
information intended to be private.

I would argue that a change that /would/ make a real difference, would
be to have (as an example) emblems in Nautilus that flag files and
folders depending on if other people have read or write access.  That
would visually show what is (and is not) secure either by intention or
by accident.


Regards,
Roger

-- 
  .''''`.  Roger Leigh
 : :'' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `''   Printing on GNU/Linux?      
http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20110217/7ca949c8/attachment.pgp>

On Thu, Feb 17, 2011 at 4:24 PM, Roger Leigh <rleigh at codelibre.net>
wrote:
> On Thu, Feb 17, 2011 at 04:07:12PM +0100, Olaf van der Spek wrote:
>> On Thu, Feb 17, 2011 at 3:58 PM, Roger Leigh <rleigh at
codelibre.net> wrote:
>> > In general, I think it''s fair to say that the average
Debian
>> > installation does not require Fort Knox levels of security.
?Simply
>> > allowing other people to read our files is often something
desirable;
>>
>> Does other refer to other users, all other accounts or the entire
world?
>
> It refers to S_IRWXO, which is what this bug is about. ?What that
> means in practice is up to you.
Other (people) in "Simply allowing other people to read our files is
often something desirable" does not refer to S_IRWXO.
>> Like backups, the need for security is often discovered after it was
necessary.
>
> Yes, but like everything there is a tradeoff. ?A totally secure system
> is an unusable system. ?Having to instruct every user how to relax the
> permissions to allow others to access their files, or allow their web
> pages to be visible, is effectively pointless make-work if that was what
> you wanted in the first place.
You''re right, in that case it makes more sense to edit
/etc/adduser.conf
Or to setup public dirs that people could use to share stuff without
defaulting to share their entire home dir.
> And for most people, I would argue that
> /is/ what is wanted.
Is it? A lot of people have desktops / laptops that aren''t shared with
other people and that don''t use the per-user public_html.
> Remember that historically, multi-user systems have been about sharing
> and collaboration, not isolation in walled-off prisons. ?I know which
> type of system I want, and it''s not the latter.
Historically security was not an issue.
> 0755 is not inherently insecure. ?Others can''t make any changes,
but
> they can look. ?The only issue here is accidental disclosure of
> information intended to be private.
Right

-- 
Olaf

On Feb 17, Ian Jackson <ijackson at chiark.greenend.org.uk> wrote:
> I disagree with this conclusion, because I disagree with the
> underlying implication that the general readability of files is not
> needed.
Agreed.
> Perhaps it might be reasonable to try to find a way for accounts like
> msql and www-data not to be able to access home directories (add
> "daemon" to their supplementary group list and set the
permissions of
> /home 0705 to root.daemon, perhaps), but is this really worthwhile ?
We have ACLs, but I believe that the local requirements vary enough
that it is not worth the effort.

-- 
ciao,
Marco
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20110217/32df21ba/attachment.pgp>

On Thu, Feb 17, 2011 at 07:14, Ian Jackson
<ijackson at chiark.greenend.org.uk> wrote:
> [Someone] writes ("Re: Default Homedir Permissions"):
>> [stuff]
>
> We are in danger of wasting a lot of time with this discussion.
>
> The general pattern is that someone who is unhappy with the state of
> the world proposes a substantial change. ?The worry amongst the rest
> of us is that the change might go ahead if we don''t oppose it.
More simply, the option could be put in the default install instead of
only the expert install. Make the default choice the current behavior,
but let local administrators choose what is best for their system.

-- 
-Austin

Austin English writes ("Re: Default Homedir
Permissions"):
> On Thu, Feb 17, 2011 at 07:14, Ian Jackson
> <ijackson at chiark.greenend.org.uk> wrote:
> > [Someone] writes ("Re: Default Homedir Permissions"):
> >> [stuff]
> >
> > We are in danger of wasting a lot of time with this discussion.
> >
> > The general pattern is that someone who is unhappy with the state of
> > the world proposes a substantial change. ?The worry amongst the rest
> > of us is that the change might go ahead if we don''t oppose
it.
> 
> More simply, the option could be put in the default install instead of
> only the expert install. Make the default choice the current behavior,
> but let local administrators choose what is best for their system.
Your reply doesn''t seem to be a way of avoiding wasting time,
I''m
afraid, but rather a way of perpetuating the discussion.

But at the risk of doing the same myself: increasing the priority of
installation questions is not without costs.  I think that the current
default suits a big enough proportion of our users that it should be
kept at the current priority.

Ian.

On Thu, 2011-02-17 at 15:24 +0000, Roger Leigh wrote:
> Yes, but like everything there is a tradeoff.  A totally secure system
> is an unusable system.  Having to instruct every user how to relax the
> permissions to allow others to access their files, or allow their web
> pages to be visible, is effectively pointless make-work if that was
> what
> you wanted in the first place.  And for most people, I would argue
> that
> /is/ what is wanted.
You don''t want to make it harder for users, but this is where design
can
help. If we need to make a system which prevents cross user file
attacks, then we could fairly easily implement these things:

 * Shared Folder, directory which is available to all users where they
can put explicitly shared contents (MacOSX does this).
 * Make sure shared folders via smb/nfs are accessible, make it clear
that this would share files inside the system as much as on the network.
 * A program which allows temporary file access to another user''s home
folder after the user have authorised the access.
> Remember that historically, multi-user systems have been about sharing
> and collaboration, not isolation in walled-off prisons.  I know which
> type of system I want, and it''s not the latter.
Yes, but we don''t make it clear that a user''s home directory
is a
free-for-all with all users. Folder indicators would be useful. But do
users know that they''ve signed up for this when they installed Ubuntu?

I think it''s more likely that Ubuntu users think the data is protected
until the magic time when cross-user file access is demanded and then
it''s unprotected for that one instance. Computers are magic after all.
Asking users would be key to answering that.
> 0755 is not inherently insecure.  Others can''t make any changes,
but
> they can look.  The only issue here is accidental disclosure of
> information intended to be private. 
If public by default is the way we want to go, then why not have a
Private folder be default in the users home directory? Combined with the
indication emblem in nautilus; this might provide a space for users to
put data. ATM it''s too hard to teach users how to secure a folder or
even how to set up an encrypted folder.

Martin,

Martin Owens wrote:
> If public by default is the way we want to go, then why not have a
> Private folder be default in the users home directory? Combined with the
> indication emblem in nautilus; this might provide a space for users to
> put data. ATM it''s too hard to teach users how to secure a folder
or
> even how to set up an encrypted folder.
IIRC, Ubuntu has done some work toward providing such an encrypted
private subdirectory by default. Someone should look into pulling that
into a package in Debian.

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL:
<http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20110217/a6e136aa/attachment.pgp>

This one time, at band camp, Ian Jackson said:
> [Someone] writes ("Re: Default Homedir Permissions"):
> > [stuff]
> 
> We are in danger of wasting a lot of time with this discussion.
> 
> The general pattern is that someone who is unhappy with the state of
> the world proposes a substantial change.  The worry amongst the rest
> of us is that the change might go ahead if we don''t oppose it.
> 
> So those of us who oppose feel impelled to respond to every message;
> whereas the proponent of change is dedicated.  There is no natural
> conclusion to this argument.
> 
> So I would like the maintainers of the adduser package (which seems to
> be where the default is mainlys et) to post here to reassure us that
> they don''t intend to make this change, and that if the maintainers
are
> thinking of changing their mind they will consult debian-devel.
I don''t want to prolong this thread, but this seemed useful to answer.

I certainly have no intention of changing the default on my own.
My hope is that Debian is used in ways I can''t imagine, and I can not
begin to cater to all of the variety of needs that current and future
users will want.  I think that 0755 as a default plus the ability to
alter adduser.conf is enough flexibility to allow admins to create users
as they see fit, while still catering to the most common case out of the
box.  No matter what we pick, someone will be unhappy.

I''d be quite happy to take this up with the tech ctte if Olaf disagrees
strongly enough.

Cheers,
-- 
 -----------------------------------------------------------------
|   ,''''`.                                            Stephen
Gran |
|  : :'' :                                        sgran at debian.org |
|  `. `''                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL:
<http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20110218/8ce1ce6a/attachment-0001.pgp>

Stephen Gran writes ("Re: [Adduser-devel] Default Homedir
Permissions"):
> I don''t want to prolong this thread, but this seemed useful to
answer.
Thanks.
> I certainly have no intention of changing the default on my own.
> My hope is that Debian is used in ways I can''t imagine, and I can
not
> begin to cater to all of the variety of needs that current and future
> users will want.  I think that 0755 as a default plus the ability to
> alter adduser.conf is enough flexibility to allow admins to create users
> as they see fit, while still catering to the most common case out of the
> box.  No matter what we pick, someone will be unhappy.
Yes.

Thanks for the clarification.  That means those of us who support the
status quo can let the discussion die.

Ian.

On Fri, Feb 18, 2011 at 9:19 AM, Stephen Gran <sgran at debian.org>
wrote:
> I don''t want to prolong this thread, but this seemed useful to
answer.
>
> I certainly have no intention of changing the default on my own.
Could you at least fix the original bug and ensure preseeding works?

Olaf

On Thu, Feb 17, 2011 at 11:55:16AM -0500, Martin Owens
wrote:
> > 0755 is not inherently insecure.  Others can''t make any
changes, but
> > they can look.  The only issue here is accidental disclosure of
> > information intended to be private. 
> 
> If public by default is the way we want to go, then why not have a
> Private folder be default in the users home directory? Combined with the
> indication emblem in nautilus; this might provide a space for users to
> put data. ATM it''s too hard to teach users how to secure a folder
or
> even how to set up an encrypted folder.
I think this is an excellent idea, because the presence of a "private"
folder in the user''s home implicitly implies that the rest of the
home is /not/ private, i.e. is self-documenting.  We could even put
a README file inside explaining what the purpose is, and how to change
the permissions should they want to.

We could even do the opposite (create a "public" folder) if the
permissions are 0750, though this would require either 0751 or
ACLs to be actually accessible.  Again, we could include a README file
instructing the user how to do this.

The Nautilus emblems idea is, I think, a fairly straightforward
exercise should we wish to do this.  I already puts "no entry" emblems
on folders you don''t have permission to enter, so it''s not a
big
change to additionally flag up folders which other have read and write
access to.


Regards,
Roger

-- 
  .''''`.  Roger Leigh
 : :'' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `''   Printing on GNU/Linux?      
http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL:
<http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20110219/0b16535d/attachment.pgp>

On Sat, Feb 19, 2011 at 11:43 AM, Roger Leigh <rleigh at codelibre.net>
wrote:
> We could even do the opposite (create a "public" folder) if the
> permissions are 0750, though this would require either 0751 or
> ACLs to be actually accessible. ?Again, we could include a README file
> instructing the user how to do this.
Or it could be a symlink to a public user dir outside of /home such
that 751 isn''t necessary.

Olaf

On Sat, Feb 19, 2011 at 10:49 AM, Olaf van der Spek
<olafvdspek at gmail.com> wrote:
> On Fri, Feb 18, 2011 at 9:19 AM, Stephen Gran <sgran at debian.org>
wrote:
>> I don''t want to prolong this thread, but this seemed useful to
answer.
>>
>> I certainly have no intention of changing the default on my own.
>
> Could you at least fix the original bug and ensure preseeding works?
Stephen?


-- 
Olaf