Security Breach! - Home directories readable to other users

Questions about applications and software
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
nonium

Security Breach! - Home directories readable to other users

Post by nonium »

Hi everybody.
I am the administrator on my PC (Mint 18.3). I made an account for my son (standard account), but now I can access my folders and all my files through my son's account, even if I close my session. This is supposed not to happen. It didn't happened before with previous releases.

This is potentially dangerous.
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 2 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
User avatar
Pierre
Level 21
Level 21
Posts: 13192
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: Security Breach!!

Post by Pierre »

do have a look at Menu - Administration - Users & Groups.

check what permissions / groups that the New Standard Account has,
when compared to your own Administrator Account.

you may need to UN-check a few Groups in the New Standard Account to achieve what you are needing.

on some of my PCs where I've got a few users on that machine, I've often found that I've had to modify
that Users & Groups settings, to either Gain / Lose some required areas for the new users on that machine.
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.
nonium

Re: Security Breach!!

Post by nonium »

Hi, my son only has the "ali" and "nopasswdlogin" and nothing else.
User avatar
Pierre
Level 21
Level 21
Posts: 13192
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: Security Breach!!

Post by Pierre »

that's interesting in itself - - when I've added in an Extra User on some machine,
they generally do get quite a list of Groups that they seem to default to.

so, I've had to add / remove some of those Groups, in order to get that New Users Account to work properly.
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.
User avatar
karlchen
Level 23
Level 23
Posts: 18177
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Security Breach! - Home directories readable to other users

Post by karlchen »

Guys,
the issue is not caused by group membership, but by the default permissions which are granted to owner-group-others inside the /home directory. A simple ls -al /home might help reveal whether I am right.
(Yes, you can do the same check in your graphical file-manager as well, provided you have configured it to display in long list format and provided you have configured it to display owner-group and access permissions.)

Karl
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
User avatar
Pjotr
Level 23
Level 23
Posts: 19888
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland) 🇳🇱
Contact:

Re: Security Breach!!

Post by Pjotr »

Solve it with this terminal command:

Code: Select all

chmod -v 700 $HOME
Repeat this in each user account that needs the same protection.

Note: this doesn't protect you from someone with root permissions! It won't stop a determined and experienced snooper, but it's an effective measure to "keep the honest people out". If that's not enough for you: encryption of files or even of your entire home folder, is much more secure....

Should you ever wish to undo this (but why?), that's easy as well. For undoing you can use this command:

Code: Select all

chmod -v 755 $HOME
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
User avatar
karlchen
Level 23
Level 23
Posts: 18177
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Security Breach! - Home directories readable to other users

Post by karlchen »

The same issue has been discussed before. I just will have to look up the old threads ... (no time to do so at the moment) ...

By the way, as most users are not aware how access permissions are handled on Linux, not just on Linux Mint, here is a an article which explains the basic concept: How Do Linux File Permissions Work?
And another article which illustrates, what Pjotr had already explained briefly, how to prevent normal users from accessing each other's home directories easily: How to Prevent Other Users From Accessing Your Home Directory in Ubuntu 14.04
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
User avatar
Moem
Level 22
Level 22
Posts: 16226
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Security Breach!!

Post by Moem »

Pjotr wrote: Mon Jun 18, 2018 4:29 am Solve it with this terminal command:

Code: Select all

chmod -v 700 $HOME
Repeat this in each user account that needs the same protection.
Interesting. What exactly is it that this command does?
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
Sir Charles

Re: Security Breach! - Home directories readable to other users

Post by Sir Charles »

It gives read-write-execute permissions in home only to the account holder leaving out other users on the same system, if I have understood it correctly. For a brief explanation: https://www.lifewire.com/uses-of-command-chmod-2201064
For a little more thorough explanation: https://www.computerhope.com/unix/uchmod.htm
Last edited by Sir Charles on Mon Jun 18, 2018 4:55 am, edited 1 time in total.
User avatar
Pjotr
Level 23
Level 23
Posts: 19888
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland) 🇳🇱
Contact:

Re: Security Breach!!

Post by Pjotr »

Moem wrote: Mon Jun 18, 2018 4:42 am
Pjotr wrote: Mon Jun 18, 2018 4:29 am Solve it with this terminal command:

Code: Select all

chmod -v 700 $HOME
Repeat this in each user account that needs the same protection.
Interesting. What exactly is it that this command does?
It changes the permissions for your /home folder. 700 protects against any access from other users, while the issuing user (you) still has full access.

Default is 755, which means that the contents of your /home folder are both readable and executable by others, but only changeable by the issuing user (you).

I don't know why 755 is default; 700 makes more sense to me. Oh well, it's easy to change.... :mrgreen:
Last edited by Pjotr on Mon Jun 18, 2018 10:06 am, edited 1 time in total.
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
User avatar
JerryF
Level 16
Level 16
Posts: 6554
Joined: Mon Jun 08, 2015 1:23 pm
Location: Rhode Island, USA

Re: Security Breach! - Home directories readable to other users

Post by JerryF »

That perplexed me when I found out that 755 is the default for a /Home/user account.

For an OS such as Linux that prides itself on security, that doesn't seem like a good idea.
Last edited by JerryF on Mon Jun 18, 2018 11:00 am, edited 1 time in total.
User avatar
all41
Level 19
Level 19
Posts: 9498
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Security Breach! - Home directories readable to other users

Post by all41 »

Proper permissions is still a somewhat perilous assumption of security.
You can easily change the attributes when booted into a live desktop.
The only real solution is encryption.
Everything in life was difficult before it became easy.
rene
Level 20
Level 20
Posts: 12240
Joined: Sun Mar 27, 2016 6:58 pm

Re: Security Breach! - Home directories readable to other users

Post by rene »

Recently discussed here as well: viewtopic.php?f=90&t=270507#p1477086.

I.e., you may want a system-wide backup solution to have access to home directories; having to run it as root only for that would with fair chance be the bigger security breach. But also as per above, anyone feel free to chmod their home, and here's official Ubuntu documentation saying the same:

https://help.ubuntu.com/lts/serverguide ... e-security

I do not myself run or have identified software that needs global home directory access but have taken the fact that turning them private is not default as a sign that some will exist. Yes, that's dangerously close to Cargo Cult Administration but given that I don't have untrusted local users either, oh well: Debian-derivative is as Debian does...
benali72
Level 4
Level 4
Posts: 278
Joined: Sat Mar 23, 2013 11:49 am

Re: Security Breach! - Home directories readable to other users

Post by benali72 »

Remember that permissions only enforce security for users operating within that linux instance. Someone could easily circumvent this by booting a live linux (like Puppy).

The only defense against this is encryption. For this reason if you have any concerns about data privacy & security, encrypt the home directories!
Locked

Return to “Software & Applications”