Feature changed by: Jan Engelhardt (jengelh) Feature #306645, revision 4 Title: Secure home directory permissions by default openSUSE-11.2: Unconfirmed Priority Requester: Desirable Requested by: Jan Engelhardt (jengelh) Description: Also see https://bugzilla.novell.com/show_bug.cgi?id=518550 . The default for home directories is 0755 (umask 022 in login.defs), and here's the fate entry to change it to 0711 (umask 066). Discussion: #1: Karl Eichwalder (keichwa) (2009-07-04 06:55:24) GNU/Linux is still Un*x and it is about cooperation. Besides this, avery default is arguable as Thorsten pointed out in the referenced bug entry.  It ain't use changing it. On sensible systems, better encrypt home directories.  Maybe, we should consider improving help texts and documentation if all this is not obvious to the user. + #2: Jan Engelhardt (jengelh) (2009-07-04 18:01:50) (reply to #1) + What on earth does home directory encryption bring you if the volume is + mounted anyway. -- openSUSE Feature: https://features.opensuse.org/306645

Feature changed by: Jan Engelhardt (jengelh) Feature #306645, revision 8 Title: Secure home directory permissions by default openSUSE-11.2: Unconfirmed Priority Requester: Desirable Requested by: Jan Engelhardt (jengelh) Description: Also see https://bugzilla.novell.com/show_bug.cgi?id=518550 . The default for home directories is 0755 (umask 022 in login.defs), and here's the fate entry to change it to 0711 (umask 066). Discussion: #1: Karl Eichwalder (keichwa) (2009-07-04 06:55:24) GNU/Linux is still Un*x and it is about cooperation. Besides this, avery default is arguable as Thorsten pointed out in the referenced bug entry.  It ain't use changing it. On sensible systems, better encrypt home directories.  Maybe, we should consider improving help texts and documentation if all this is not obvious to the user. #2: Jan Engelhardt (jengelh) (2009-07-04 18:01:50) (reply to #1) What on earth does home directory encryption bring you if the volume is mounted anyway. #3: Pascal Bleser (pbleser) (2009-07-04 21:34:44) Well, yes, it's a matter of taste. But nevertheless, what advantage is there from having public-readable home directories ? I think it's simply a conflict between two use cases: 1) a server where many users access each other's files that are in their respective homes, e.g. sources of software development projects 2) a workstation that is potentially used by several people, each having their account, and where files under each user's home should not be accessible to others by default The only issue with changing 0755 to 0711 is ~/public_html An even better solution could be to * create a dedicated group, e.g. "home" * put the user "www" into that group * change /etc/skel to root:home and 0750 * change /etc/skel/public_html to root:wwwrun and 0750 Making it configurable could be done by having several home templates (skels), e.g. /etc/skel.open or /etc/skel.restricted , and then change the value of the variable SKEL in /etc/default/useradd through the YaST2 security settings module. "it is about cooperation" - one could similarily argue that it is about security. + #4: Jan Engelhardt (jengelh) (2009-07-05 15:32:00) (reply to #3) + Can you elaborate on this "issue" in "changing 0755 to 0711 is + ~/public_html"? If ~ has +x (and public_html has too), wwwrun can enter + it. Apache does not need readdir either, unless you, as a user, + deliberately want to have it autoindex your public_html. + What about other possibilities? + * using 0751 and not adding user "wwwrun" to group "home"? + * 0750 user:home with a single ACL on /etc/skel for wwwrun:x-only -- openSUSE Feature: https://features.opensuse.org/306645

Feature changed by: Marcus Meissner (msmeissn) Feature #306645, revision 10 Title: Secure home directory permissions by default openSUSE-11.2: Evaluation Priority Requester: Desirable Requested by: Jan Engelhardt (jengelh) Description: Also see https://bugzilla.novell.com/show_bug.cgi?id=518550 . The default for home directories is 0755 (umask 022 in login.defs), and here's the fate entry to change it to 0711 (umask 066). Discussion: #1: Karl Eichwalder (keichwa) (2009-07-04 06:55:24) GNU/Linux is still Un*x and it is about cooperation. Besides this, avery default is arguable as Thorsten pointed out in the referenced bug entry.  It ain't use changing it. On sensible systems, better encrypt home directories.  Maybe, we should consider improving help texts and documentation if all this is not obvious to the user. #2: Jan Engelhardt (jengelh) (2009-07-04 18:01:50) (reply to #1) What on earth does home directory encryption bring you if the volume is mounted anyway. #3: Pascal Bleser (pbleser) (2009-07-04 21:34:44) Well, yes, it's a matter of taste. But nevertheless, what advantage is there from having public-readable home directories ? I think it's simply a conflict between two use cases: 1) a server where many users access each other's files that are in their respective homes, e.g. sources of software development projects 2) a workstation that is potentially used by several people, each having their account, and where files under each user's home should not be accessible to others by default The only issue with changing 0755 to 0711 is ~/public_html An even better solution could be to * create a dedicated group, e.g. "home" * put the user "www" into that group * change /etc/skel to root:home and 0750 * change /etc/skel/public_html to root:wwwrun and 0750 Making it configurable could be done by having several home templates (skels), e.g. /etc/skel.open or /etc/skel.restricted , and then change the value of the variable SKEL in /etc/default/useradd through the YaST2 security settings module. "it is about cooperation" - one could similarily argue that it is about security. #4: Jan Engelhardt (jengelh) (2009-07-05 15:32:00) (reply to #3) Can you elaborate on this "issue" in "changing 0755 to 0711 is ~/public_html"? If ~ has +x (and public_html has too), wwwrun can enter it. Apache does not need readdir either, unless you, as a user, deliberately want to have it autoindex your public_html. What about other possibilities? * using 0751 and not adding user "wwwrun" to group "home"? * 0750 user:home with a single ACL on /etc/skel for wwwrun:x-only #5: Andreas Jaeger (a_jaeger) (2009-07-10 14:04:29) What does the security team think about this? To me it looks like a safer default and therefore we should consider it. + #6: Marcus Meissner (msmeissn) (2009-07-13 15:24:23) (reply to #5) + security is not an issue here at all, so don't misuse the term. + The issue is "secrecy" and "privacy". + I personally do not care either way. I thought about it and I usually + do not access other peoples homedirectories, so a suggestion with mode + 711 for ~, but 755 ~/public_html + seems sensible. -- openSUSE Feature: https://features.opensuse.org/306645

Feature changed by: Michael Löffler (michl19) Feature #306645, revision 12 Title: Secure home directory permissions by default - openSUSE-11.2: Evaluation + openSUSE-11.2: Rejected by Michael Löffler (michl19) + reject date: 2009-08-11 15:12:35 + reject reason: looks like it addresses just a minor issue, if any Priority Requester: Desirable Requested by: Jan Engelhardt (jengelh) Description: Also see https://bugzilla.novell.com/show_bug.cgi?id=518550 . The default for home directories is 0755 (umask 022 in login.defs), and here's the fate entry to change it to 0711 (umask 066). Discussion: #1: Karl Eichwalder (keichwa) (2009-07-04 06:55:24) GNU/Linux is still Un*x and it is about cooperation. Besides this, avery default is arguable as Thorsten pointed out in the referenced bug entry.  It ain't use changing it. On sensible systems, better encrypt home directories.  Maybe, we should consider improving help texts and documentation if all this is not obvious to the user. #2: Jan Engelhardt (jengelh) (2009-07-04 18:01:50) (reply to #1) What on earth does home directory encryption bring you if the volume is mounted anyway. #3: Pascal Bleser (pbleser) (2009-07-04 21:34:44) Well, yes, it's a matter of taste. But nevertheless, what advantage is there from having public-readable home directories ? I think it's simply a conflict between two use cases: 1) a server where many users access each other's files that are in their respective homes, e.g. sources of software development projects 2) a workstation that is potentially used by several people, each having their account, and where files under each user's home should not be accessible to others by default The only issue with changing 0755 to 0711 is ~/public_html An even better solution could be to * create a dedicated group, e.g. "home" * put the user "www" into that group * change /etc/skel to root:home and 0750 * change /etc/skel/public_html to root:wwwrun and 0750 Making it configurable could be done by having several home templates (skels), e.g. /etc/skel.open or /etc/skel.restricted , and then change the value of the variable SKEL in /etc/default/useradd through the YaST2 security settings module. "it is about cooperation" - one could similarily argue that it is about security. #4: Jan Engelhardt (jengelh) (2009-07-05 15:32:00) (reply to #3) Can you elaborate on this "issue" in "changing 0755 to 0711 is ~/public_html"? If ~ has +x (and public_html has too), wwwrun can enter it. Apache does not need readdir either, unless you, as a user, deliberately want to have it autoindex your public_html. What about other possibilities? * using 0751 and not adding user "wwwrun" to group "home"? * 0750 user:home with a single ACL on /etc/skel for wwwrun:x-only #5: Andreas Jaeger (a_jaeger) (2009-07-10 14:04:29) What does the security team think about this? To me it looks like a safer default and therefore we should consider it. #6: Marcus Meissner (msmeissn) (2009-07-13 15:24:23) (reply to #5) security is not an issue here at all, so don't misuse the term. The issue is "secrecy" and "privacy". I personally do not care either way. I thought about it and I usually do not access other peoples homedirectories, so a suggestion with mode 711 for ~, but 755 ~/public_html seems sensible. #7: Karl Eichwalder (keichwa) (2009-07-14 08:20:16) (reply to #6) Without changing the default umask value that would not buy us that much... Innocent users would create directories such as "letters"... Better go for 700 and give up on ~/public_html. On the Mac, IIRC, obvious desktop directories such as ~/Pictures, ~/Music, ~/Documents, ~/Desktop, etc. are properly proected (700), but $HOME is still open (755) as it ever was. -- openSUSE Feature: https://features.opensuse.org/306645