On Sat, 2019-03-02 at 13:20 +0100, Yves-Alexis Perez wrote: > On Sat, 2019-03-02 at 08:15 +0100, Ansgar wrote: > > I think this problem (having $HOME world-readable by default) should > > really be fixed... In installations sharing $HOME between multiple > > users this means private data of all sorts (medical records, unpublished > > scientific articles, exam results, ...) can be accessed by /all/ users > > by default. This seems a really bad idea. > > > > Dear security team, should such issues get a CVE id? If one follows the > > link from [1], one should contact the Debian security team to assign one > > (even though [1] says Debian won't assign one?). > > Own opinion on this: I don't think it deserves a CVE but I'd be all for > changing the default.
Well, it's local information disclosure. It similar to having /etc/shadow world-readable (though having $HOME world-readable is actually worse as shadow only has hashed passwords). > In 2019 I'd say most installations are single (human) > users but changing uids might be used for isolation between applications for > example. I think world-readable home by default is totally inappropriate for any multi-user system in 2019. Note that the entire $HOME is also readable by system users, including nobody, by default this way. That just defeats the purpose of having unpriviledged users on single-user systems... On multi-user systems this is worse, more so when $HOME is on a network system: every user can read other users' data, including private information (unless applications take care to not make them world- readable). I think Debian should be usable with multiple local users by default, without needing special configuration; there is no documentation what users would have to do to be able to run a multi-user system. So the default should be safe. Ansgar
