Insecure default permissions on home directories

[pceiley]

$ sudo useradd -m test
$ ls -la /home/test
total 16
drwxr-xr-x 2 test test 4096 Jun 20 13:23 .
drwxr-xr-x 5 root root 4096 Jun 20 13:23 ..
-rw-r--r-- 1 test test  194 Feb  2 07:26 .bashrc
-rw-r--r-- 1 test test  154 Feb  2 07:26 .profile

[lebensterben]

@pceiley

.bashrc and .profile are copied from /usr/share/skel and they're installed by filesystem package. The spec file of filesystem has the following lines:

install -m 0644 %{SOURCE3} %{buildroot}/usr/share/defaults/skel/.bashrc
install -m 0644 %{SOURCE3} %{buildroot}/usr/share/defaults/skel/.profile

As for the permission of home directory, one way to specify it is to use

useradd -m -K UMASK=027 test

And you will have 750(777-027) as the permission of /home/test.

Another way is to create /etc/login.defs and have UMASK 027.

But anyway, I think it's nice to patch the shadow package (?) so that a default login.defs with more secure UMASK is available.

[pceiley]

It's normal and expected to have the files as 644, but the home directory should definitely not be read/exec to all by default.

[ahkok]

debatable topic, but I'm inclined to have a more restricitive policy by default. We would do this through a more restrictive builtin UMASK value. I'll let some of our security folks advise here as well.

[miguelinux]

Clear Linux is chaining the mode of creating new user $HOME directory.
useradd and newusers commands will use UMASK=027 as default.

This change will be public in 1 or 2 days.

[pdxjohnny]

Here's the effects of having directories be o+rx

pdxjohnny@clearlinux $ sudo useradd -m feedface
pdxjohnny@clearlinux $ stat !$
stat /home/feedface/
  File: /home/feedface/
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 91h/145d        Inode: 19681147    Links: 2
Access: (0755/drwxr-xr-x)  Uid: ( 1001/feedface)   Gid: ( 1001/feedface)
Access: 2019-06-20 20:22:02.092407456 +0000
Modify: 2019-06-20 20:21:56.260407577 +0000
Change: 2019-06-20 20:21:56.260407577 +0000
 Birth: -
pdxjohnny@clearlinux $ sudo -u feedface sh -c 'echo hello world > ~/hi'
pdxjohnny@clearlinux $ ls -lAF /home/feedface/
total 12
-rw-r--r-- 1 feedface feedface 194 Jan 13  2017 .bashrc
-rw-r--r-- 1 feedface feedface  12 Jun 20 20:22 hi
-rw-r--r-- 1 feedface feedface 154 Jan 13  2017 .profile
pdxjohnny@clearlinux $ cat /home/feedface/hi
hello world
pdxjohnny@clearlinux $ sudo -u feedface chmod o-r /home/feedface
pdxjohnny@clearlinux $ ls -lAF /home/feedface
ls: cannot open directory '/home/feedface': Permission denied
pdxjohnny@clearlinux $ cat /home/feedface/hi
hello world
pdxjohnny@clearlinux $ sudo -u feedface chmod o-x /home/feedface
pdxjohnny@clearlinux $ cat /home/feedface/hi
cat: /home/feedface/hi: Permission denied

• o+r is letting other people see into the directory.
• o+x is allowing "other" permissions (lower 3 bits) on files bellow the
  directory propagate through.
• o-x essentially nullifies any "other" permission bits on files under the
  directory (when "exec" is not set for "other" on the directory)

[pceiley]

Thanks for the quick action on this one!

[miguelinux]

Fixed at clearlinux-pkgs/shadow@54abae4