Bad Security on Ubuntu ?
 

I just set SSH up on Ubuntu and made a new account via adduser from another system and i noticed that user can access and get info from any other users home dir, a few people talked about this on IRC also and the security seems very lame.
So is this something you have to edit yourself to change "default permissions" and if so how or is it something that was missed on the latest build?

You can set a tighter DIR_MODE in /etc/adduser.conf . Haven't used ubuntu but at least on Kanotix the default was IIRC 0755.

I think this is more adduser specific problem than distro specific. Depending on the debconf level you've chosen, debconf usually asks when adduser is upgraded if you want system wide readable home directories. This can also be set in Ubuntu at any time running "sudo dpkg-reconfigure adduser" (and you can set the debconf level with "sudo dpkg-reconfigure debconf").

I haven't been running Ubuntu for very long but I've noticed that many potential security issues have been considered in Ubuntu from the point of view of a desktop system and the security settings are generally tighter than in Debian. For example, in Ubuntu CUPS by default listens only to localhost while Debian's CUPS listens to all connections. Of course, Debian is designed to be used in servers as well as on the desktop while Ubuntu is more desktop oriented, so Debian sysadmins are expected to know the potential security issues and to tweak the settings accordingly.

This post is not a knock on Debian because it applies to most every distro. This is dead wrong, IMO. Sysadmins should also damn well be expected to know how to *turn stuff on* as much as they are expected to know the security issues, while Joe User might not know how to turn it off or even that he *should* or *could* turn it off. This is the same thing *Windows* gets slammed for - leaving unnecessary services running and ports open and blahblahblah. The distinction between what's a server-type package and what's a desktop-type package should be crystal clear and even if you do select all the server junk, you should have to turn it all on. The box should be locked down to the outside from the start. Instead, people have wide open ports and can't access their sound device or disc drives. It's completely screwed - whether as a desktop *or* a server.

-- Just to clarify, I'm not taking issue with your post, which I think is a very accurate assessment of the situation. I'm just taking issue with the *situation*. ;)

I cannot help but agreeing with digiot. I was just thinking that it is sysadmins who are usually better informed about possible security risks while desktop users are only beginning to realize that it's a dangerous www out there, so they are the ones who are more in need of protection. But that, indeed, is a poor excuse for Debian having less secure default settings than Ubuntu.

Here is some useful reading for anyone who wants to make their Debian (or Ubuntu) system more secure:
http://www.tldp.org/HOWTO/Security-HOWTO/
http://www.linuxsecurity.com/resourc.../index.en.html