Security Breach! - Home directories readable to other users

Forum rules
Before you post please read how to get help
Post Reply
nonium
Level 1
Level 1
Posts: 2
Joined: Sun Jun 17, 2018 10:53 pm

Security Breach! - Home directories readable to other users

Post by nonium » Sun Jun 17, 2018 11:11 pm

Hi everybody.
I am the administrator on my PC (Mint 18.3). I made an account for my son (standard account), but now I can access my folders and all my files through my son's account, even if I close my session. This is supposed not to happen. It didn't happened before with previous releases.

This is potentially dangerous.
Last edited by karlchen on Mon Jun 18, 2018 4:41 am, edited 1 time in total.
Reason: Title: Appended "Home directories readable to other users" in order to express better what the thread is about.

User avatar
Pierre
Level 17
Level 17
Posts: 7584
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: Security Breach!!

Post by Pierre » Sun Jun 17, 2018 11:17 pm

do have a look at Menu - Administration - Users & Groups.

check what permissions / groups that the New Standard Account has,
when compared to your own Administrator Account.

you may need to UN-check a few Groups in the New Standard Account to achieve what you are needing.

on some of my PCs where I've got a few users on that machine, I've often found that I've had to modify
that Users & Groups settings, to either Gain / Lose some required areas for the new users on that machine.
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.

nonium
Level 1
Level 1
Posts: 2
Joined: Sun Jun 17, 2018 10:53 pm

Re: Security Breach!!

Post by nonium » Sun Jun 17, 2018 11:27 pm

Hi, my son only has the "ali" and "nopasswdlogin" and nothing else.

User avatar
Pierre
Level 17
Level 17
Posts: 7584
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: Security Breach!!

Post by Pierre » Sun Jun 17, 2018 11:55 pm

that's interesting in itself - - when I've added in an Extra User on some machine,
they generally do get quite a list of Groups that they seem to default to.

so, I've had to add / remove some of those Groups, in order to get that New Users Account to work properly.
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.

User avatar
karlchen
Level 19
Level 19
Posts: 9432
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Security Breach! - Home directories readable to other users

Post by karlchen » Mon Jun 18, 2018 4:12 am

Guys,
the issue is not caused by group membership, but by the default permissions which are granted to owner-group-others inside the /home directory. A simple ls -al /home might help reveal whether I am right.
(Yes, you can do the same check in your graphical file-manager as well, provided you have configured it to display in long list format and provided you have configured it to display owner-group and access permissions.)

Karl
Image
Linux Mint 18.1 64-bit Cinnamon Desktop, Total Commander 9.21a 64-bit
Ubuntu 18.04.1 32-bit Mate Desktop, Total Commander 9.21a 32-bit
Windows? - 1 window in every room

User avatar
Pjotr
Level 20
Level 20
Posts: 10987
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Security Breach!!

Post by Pjotr » Mon Jun 18, 2018 4:29 am

Solve it with this terminal command:

Code: Select all

chmod -v 700 $HOME
Repeat this in each user account that needs the same protection.

Note: this doesn't protect you from someone with root permissions! It won't stop a determined and experienced snooper, but it's an effective measure to "keep the honest people out". If that's not enough for you: encryption of files or even of your entire home folder, is much more secure....

Should you ever wish to undo this (but why?), that's easy as well. For undoing you can use this command:

Code: Select all

chmod -v 755 $HOME
Tip: 10 things to do after installing Linux Mint 19 Tara
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
karlchen
Level 19
Level 19
Posts: 9432
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Security Breach! - Home directories readable to other users

Post by karlchen » Mon Jun 18, 2018 4:40 am

The same issue has been discussed before. I just will have to look up the old threads ... (no time to do so at the moment) ...

By the way, as most users are not aware how access permissions are handled on Linux, not just on Linux Mint, here is a an article which explains the basic concept: How Do Linux File Permissions Work?
And another article which illustrates, what Pjotr had already explained briefly, how to prevent normal users from accessing each other's home directories easily: How to Prevent Other Users From Accessing Your Home Directory in Ubuntu 14.04
Image
Linux Mint 18.1 64-bit Cinnamon Desktop, Total Commander 9.21a 64-bit
Ubuntu 18.04.1 32-bit Mate Desktop, Total Commander 9.21a 32-bit
Windows? - 1 window in every room

User avatar
Moem
Level 17
Level 17
Posts: 7039
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Security Breach!!

Post by Moem » Mon Jun 18, 2018 4:42 am

Pjotr wrote:
Mon Jun 18, 2018 4:29 am
Solve it with this terminal command:

Code: Select all

chmod -v 700 $HOME
Repeat this in each user account that needs the same protection.
Interesting. What exactly is it that this command does?
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

User avatar
Sir Charles
Level 7
Level 7
Posts: 1827
Joined: Thu Jan 04, 2018 1:00 pm

Re: Security Breach! - Home directories readable to other users

Post by Sir Charles » Mon Jun 18, 2018 4:50 am

It gives read-write-execute permissions in home only to the account holder leaving out other users on the same system, if I have understood it correctly. For a brief explanation: https://www.lifewire.com/uses-of-command-chmod-2201064
For a little more thorough explanation: https://www.computerhope.com/unix/uchmod.htm
Last edited by Sir Charles on Mon Jun 18, 2018 4:55 am, edited 1 time in total.
I suppose that's one of the ironies of life, doing the wrong thing at the right moment -C.C.

User avatar
Pjotr
Level 20
Level 20
Posts: 10987
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Security Breach!!

Post by Pjotr » Mon Jun 18, 2018 4:54 am

Moem wrote:
Mon Jun 18, 2018 4:42 am
Pjotr wrote:
Mon Jun 18, 2018 4:29 am
Solve it with this terminal command:

Code: Select all

chmod -v 700 $HOME
Repeat this in each user account that needs the same protection.
Interesting. What exactly is it that this command does?
It changes the permissions for your /home folder. 700 protects against any access from other users, while the issuing user (you) still has full access.

Default is 755, which means that the contents of your /home folder are both readable and executable by others, but only changeable by the issuing user (you).

I don't know why 755 is default; 700 makes more sense to me. Oh well, it's easy to change.... :mrgreen:
Last edited by Pjotr on Mon Jun 18, 2018 10:06 am, edited 1 time in total.
Tip: 10 things to do after installing Linux Mint 19 Tara
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
JerryF
Level 10
Level 10
Posts: 3148
Joined: Mon Jun 08, 2015 1:23 pm
Location: Rhode Island, USA

Re: Security Breach! - Home directories readable to other users

Post by JerryF » Mon Jun 18, 2018 8:20 am

That perplexed me when I found out that 755 is the default for a /Home/user account.

For an OS such as Linux that prides itself on security, that doesn't seem like a good idea.
Last edited by JerryF on Mon Jun 18, 2018 11:00 am, edited 1 time in total.
IF your problem has been solved, please edit your original post and add [SOLVED] to the beginning of the Subject Line. It helps other members.

User avatar
all41
Level 13
Level 13
Posts: 4875
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Security Breach! - Home directories readable to other users

Post by all41 » Mon Jun 18, 2018 9:10 am

Proper permissions is still a somewhat perilous assumption of security.
You can easily change the attributes when booted into a live desktop.
The only real solution is encryption.
Proud to be a supporter and monthly contributor to Mint.

rene
Level 8
Level 8
Posts: 2228
Joined: Sun Mar 27, 2016 6:58 pm

Re: Security Breach! - Home directories readable to other users

Post by rene » Mon Jun 18, 2018 9:32 am

Recently discussed here as well: viewtopic.php?f=90&t=270507#p1477086.

I.e., you may want a system-wide backup solution to have access to home directories; having to run it as root only for that would with fair chance be the bigger security breach. But also as per above, anyone feel free to chmod their home, and here's official Ubuntu documentation saying the same:

https://help.ubuntu.com/lts/serverguide ... e-security

I do not myself run or have identified software that needs global home directory access but have taken the fact that turning them private is not default as a sign that some will exist. Yes, that's dangerously close to Cargo Cult Administration but given that I don't have untrusted local users either, oh well: Debian-derivative is as Debian does...

benali72
Level 4
Level 4
Posts: 217
Joined: Sat Mar 23, 2013 11:49 am

Re: Security Breach! - Home directories readable to other users

Post by benali72 » Sat Aug 25, 2018 11:04 pm

Remember that permissions only enforce security for users operating within that linux instance. Someone could easily circumvent this by booting a live linux (like Puppy).

The only defense against this is encryption. For this reason if you have any concerns about data privacy & security, encrypt the home directories!

Post Reply

Return to “Others”