Posted on 7th Feb 2021 @ 4:30 PM
Most of you may be asking... Wasn't the HOME folder already PRIVATE? The quick answer to that question, is NO.
When you create a new user on an Ubuntu system that user can ‘read’ files in the main ~/Home folder. Y’know, the one you probably use for your personal stuff, settings, etc.
It sounds crazy lax, but back in the early days of Ubuntu the reasoning was that multi-user systems have “…some level of cooperation (if not trust) among the users – they’ll be members of the same family, or friends, or co-workers, or whatever – and it is useful for them to be able to share files reasonably conveniently”.
However, the world, and Ubuntu, has moved on considerably since that statement was made. All of us expect much stricter handling of our personal data, even on systems that we admin ourselves.
Ubuntu devs agree. They now think their ‘significant customer and user-base in the public cloud and server space’ merits stricter controls from the outset.
“World-readable home directories,” Ubuntu’s Security Tech Lead explains are “…more like a footgun than a feature – in this case, if a worker account is compromised, an attacker could now more easily access sensitive data from the other worker accounts or the admin account.”
And... The change comes.
In Ubuntu 21.04 Home folder are no longer ‘world-readable’ by default. Or to be explicitly technical, the directory permissions have changed from 755
to 750
.
It’s important to note that this change will not affect existing installs, nor any in-place upgrades to 21.04 in the spring. Only new Ubuntu 21.04 installs (and new users created therein) will benefit from these tighter permissions by default.
Why make this security tweak now, in 21.04? Well, better late than never. Plus it gives Ubuntu devs several releases to gauge the impact of, and work through any issues that arise from it in advance of the next LTS.
More details on the change can be gleaned from Ubuntu developer mailing list announcement.