Announcement

Collapse
No announcement yet.

Ubuntu 21.04 Will Finally Stop Making New Home Directories World-Readable

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Ubuntu 21.04 Will Finally Stop Making New Home Directories World-Readable

    Phoronix: Ubuntu 21.04 Will Finally Stop Making New Home Directories World-Readable

    Ubuntu 21.04 will do away with the existing practice on Ubuntu Linux systems of making new user home directories world-readable...

    http://www.phoronix.com/scan.php?pag...4-Private-Home

  • #2
    Another area where Windows has long been more secure than Linux.
    Another area is that Linux still does not support Secure Attention Key (SAK). On Windows when you press Ctrl+Alt+Del to login you now the authentication prompt is real, when you login on Linux you never know if the authentication prompt is real or spoofed to steal your credentials.

    Comment


    • #3
      Good. While annoying initially, especially for multiuser systems that expect this functionality, long-term I hope a shared directory framework comes from this. I'm thinking something like "/var/share/the usual XDG dirs" getting symlinked to "/home/$USER/share/the usual XDG dirs".

      Comment


      • #4
        I wasn't aware Ubuntu was set up that way by default, and as someone who doesn't care about security as much as most people around here, even I know that's really stupid. It shouldn't be that hard to have a designated share folder (personally, I've always used /tmp, since I so rarely need to share something long-term between multiple users).

        Comment


        • #5
          It is interesting that this is even noted. Home is the directory for config files and links - not for data - otherwise it will be mounted via fstab and got special care.
          And the second thing mentioned: any person with basic knowledge can get hands on any data stored on a machine he has hands on.
          THIS IS GOOD - or better to say: necessary.
          If trying to avoid this you may lose all data in the long run - and are no longer master of your machine (well, forget the last point as long as CSME/PSP exist - so the owner can no longer access the own data while some monopoly industry players and criminal organizations can ... but for people living in clouds this is a warm reality).
          It is similar with encryption ... and typically used for data freely available anyway ...
          If someone has hardened bank servers he may smile about such things noted as making something more secure that way.
          P.S.: And I don't make a comment to "secure display" support by AMD - most will already know that this is digital restrictions management against and not protecting the user ... strange that these topics are not described in a technical perspective ...
          Last edited by JMB9; 13 January 2021, 09:45 AM.

          Comment


          • #6
            And it only took them 15 years? Good Lord... and it only came up a few months ago. It speaks volumes about the general mindset in the Linux world. NFS, Docker, ACL.... wonderful examples where AuthN, AuthZ and security in general was clearly just an afterthought.

            Comment


            • #7
              Originally posted by uid313 View Post
              Another area where Windows has long been more secure than Linux.
              Another area is that Linux still does not support Secure Attention Key (SAK). On Windows when you press Ctrl+Alt+Del to login you now the authentication prompt is real, when you login on Linux you never know if the authentication prompt is real or spoofed to steal your credentials.
              Forgive me for being blunt, but somehow the word bullshit seems small in this case:

              Fedora 33:
              $ ls -lh /home/ | grep $USER
              drwx------. 163 gilboagilboa 12K Jan 13 14:56 gilboa


              CentOS8:
              $ ls -lh /home/ | grep $USER
              drwx------. 21 gilboagilboa 4.0K Oct 11 11:57 gilboa


              CentOS7:
              $ ls -lh /home/ | grep $USER
              drwx------. 20 gilboa gilboa 4.0K Aug 9 10:58 gilboa


              CentOS6:
              $ ls -lh /home/ | grep $USER
              drwx------. 30 gilboa gilboa 4.0K Jul 5 2020 gilboa


              CentOS5:
              $ ls -lh /home/ | grep $USER
              drwx------. 31 gilboa gilboa 4.0K Apr 12 2017 gilboa


              I don't have access to CentOS4 machine, but I assume we get the general idea.

              - Gilboa
              Last edited by gilboa; 13 January 2021, 10:28 AM.
              Devel: Intel S2600C0, 2xE5-2658V2, 32GB, 6x2TB, 1x256GB-SSD, GTX1080, F33, Dell UP3216Q 4K.
              oVirt: Intel S2400GP2, 2xE5-2448L, 96GB, 10x2TB, GTX550, CentOS8.3.
              Win10: Gigabyte B85M-HD3, E3-1245V3, 32GB, 5x1TB, GTX980, Win10Pro.
              Devel-2: Asus H110M-K, i5-6500, 16GB, 3x1TB + 128GB-SSD, F33, Dell U2711.
              Laptop: ASUS Strix GL502V, i7-6700HQ, 32GB, 1TB+256GB, 1070M, F33.

              Comment


              • #8
                Originally posted by uid313 View Post
                Another area where Windows has long been more secure than Linux.
                Another area is that Linux still does not support Secure Attention Key (SAK). On Windows when you press Ctrl+Alt+Del to login you now the authentication prompt is real, when you login on Linux you never know if the authentication prompt is real or spoofed to steal your credentials.
                https://www.kernel.org/doc/Documentation/SAK.txt

                This is not 100 percent true. The Linux kernel has had means to implement different forms of SAK just the distributions have not been. There is a reason not really to bother implementing SAK it was being stuck with X11 were even if the login screen was real you could be screwed over by X11 itself. Key logging on the display manager or screen saver screen is absolutely possible with X11 protocol.
                Last edited by oiaohm; 13 January 2021, 09:59 AM.

                Comment


                • #9
                  Originally posted by anarki2 View Post
                  And it only took them 15 years? Good Lord... and it only came up a few months ago. It speaks volumes about the general mindset in the Linux world. NFS, Docker, ACL.... wonderful examples where AuthN, AuthZ and security in general was clearly just an afterthought.
                  ACL comes a complex one. Do you want to waste processing time on ACL or Multi-Level Security (MLS).

                  https://access.redhat.com/documentat...nced_linux/mls.

                  The reality here is even with windows majority of the core could get away with user, group and world. There is a big question how much of ACL is in fact required.

                  Remember the Linux kernel has support on many file systems acl for a long time.

                  https://github.com/DavidXanatos/IgnoreACLs
                  Yes its need to ask yourself why you need to load a kernel driver to turn ACL off under windows. Remember those doing windows kernel driver based anti-cheat system there kernel based drivers include ACL bypass. So its one of those fun ones we used ACL for security you hear from those using windows to find they installed application that added a exploit that allows turning ACL off.

                  Security is a complex area. Think about it when you have disabled ACL under windows what do you have left for security. There are more layers of security provided by the Linux kernel that distributions could be implementing.

                  Comment


                  • #10
                    Originally posted by oiaohm View Post
                    https://www.kernel.org/doc/Documentation/SAK.txt

                    This is not 100 percent true. The Linux kernel has had means to implement different forms of SAK just the distributions have not been. There is a reason not really to bother implementing SAK it was being stuck with X11 were even if the login screen was real you could be screwed over by X11 itself. Key logging on the display manager or screen saver screen is absolutely possible with X11 protocol.
                    Not to mention that most Linux logins are via SSH and not the local console. We've got hundreds of Linux servers at work, I cannot remember the last time I used a local console on any of them. This SAK seems like more of a theoretical problem anyways, not one that anyone experiences in the wild.

                    Comment

                    Working...
                    X