Bad Security on Ubuntu ?
I just set SSH up on Ubuntu and made a new account via adduser from another system and i noticed that user can access and get info from any other users home dir, a few people talked about this on IRC also and the security seems very lame.
So is this something you have to edit yourself to change "default permissions" and if so how or is it something that was missed on the latest build? |
You can set a tighter DIR_MODE in /etc/adduser.conf . Haven't used ubuntu but at least on Kanotix the default was IIRC 0755.
|
I think this is more adduser specific problem than distro specific. Depending on the debconf level you've chosen, debconf usually asks when adduser is upgraded if you want system wide readable home directories. This can also be set in Ubuntu at any time running "sudo dpkg-reconfigure adduser" (and you can set the debconf level with "sudo dpkg-reconfigure debconf").
I haven't been running Ubuntu for very long but I've noticed that many potential security issues have been considered in Ubuntu from the point of view of a desktop system and the security settings are generally tighter than in Debian. For example, in Ubuntu CUPS by default listens only to localhost while Debian's CUPS listens to all connections. Of course, Debian is designed to be used in servers as well as on the desktop while Ubuntu is more desktop oriented, so Debian sysadmins are expected to know the potential security issues and to tweak the settings accordingly. |
Quote:
-- Just to clarify, I'm not taking issue with your post, which I think is a very accurate assessment of the situation. I'm just taking issue with the *situation*. ;) |
I cannot help but agreeing with digiot. I was just thinking that it is sysadmins who are usually better informed about possible security risks while desktop users are only beginning to realize that it's a dangerous www out there, so they are the ones who are more in need of protection. But that, indeed, is a poor excuse for Debian having less secure default settings than Ubuntu.
Here is some useful reading for anyone who wants to make their Debian (or Ubuntu) system more secure: http://www.tldp.org/HOWTO/Security-HOWTO/ http://www.linuxsecurity.com/resourc.../index.en.html |
All times are GMT -5. The time now is 08:18 AM. |