LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices


Reply
  Search this Thread
Old 02-19-2005, 10:26 PM   #1
TuxToaster
Member
 
Registered: May 2003
Location: UK
Distribution: Debian
Posts: 127

Rep: Reputation: 15
Bad Security on Ubuntu ?


I just set SSH up on Ubuntu and made a new account via adduser from another system and i noticed that user can access and get info from any other users home dir, a few people talked about this on IRC also and the security seems very lame.
So is this something you have to edit yourself to change "default permissions" and if so how or is it something that was missed on the latest build?
 
Old 02-20-2005, 05:10 AM   #2
makuyl
Senior Member
 
Registered: Dec 2004
Location: Helsinki
Distribution: Debian Sid
Posts: 1,107

Rep: Reputation: 54
You can set a tighter DIR_MODE in /etc/adduser.conf . Haven't used ubuntu but at least on Kanotix the default was IIRC 0755.
 
Old 02-20-2005, 05:51 AM   #3
Dead Parrot
Senior Member
 
Registered: Mar 2004
Distribution: Debian GNU/kFreeBSD
Posts: 1,597

Rep: Reputation: 46
I think this is more adduser specific problem than distro specific. Depending on the debconf level you've chosen, debconf usually asks when adduser is upgraded if you want system wide readable home directories. This can also be set in Ubuntu at any time running "sudo dpkg-reconfigure adduser" (and you can set the debconf level with "sudo dpkg-reconfigure debconf").

I haven't been running Ubuntu for very long but I've noticed that many potential security issues have been considered in Ubuntu from the point of view of a desktop system and the security settings are generally tighter than in Debian. For example, in Ubuntu CUPS by default listens only to localhost while Debian's CUPS listens to all connections. Of course, Debian is designed to be used in servers as well as on the desktop while Ubuntu is more desktop oriented, so Debian sysadmins are expected to know the potential security issues and to tweak the settings accordingly.
 
Old 02-21-2005, 11:29 PM   #4
slakmagik
Senior Member
 
Registered: Feb 2003
Distribution: Slackware
Posts: 4,113

Rep: Reputation: Disabled
Quote:
Originally posted by Dead Parrot
...many potential security issues have been considered in Ubuntu from the point of view of a desktop system and the security settings are generally tighter than in Debian. For example, in Ubuntu CUPS by default listens only to localhost while Debian's CUPS listens to all connections. Of course, Debian is designed to be used in servers as well as on the desktop while Ubuntu is more desktop oriented, so Debian sysadmins are expected to know the potential security issues and to tweak the settings accordingly.
This post is not a knock on Debian because it applies to most every distro. This is dead wrong, IMO. Sysadmins should also damn well be expected to know how to *turn stuff on* as much as they are expected to know the security issues, while Joe User might not know how to turn it off or even that he *should* or *could* turn it off. This is the same thing *Windows* gets slammed for - leaving unnecessary services running and ports open and blahblahblah. The distinction between what's a server-type package and what's a desktop-type package should be crystal clear and even if you do select all the server junk, you should have to turn it all on. The box should be locked down to the outside from the start. Instead, people have wide open ports and can't access their sound device or disc drives. It's completely screwed - whether as a desktop *or* a server.

-- Just to clarify, I'm not taking issue with your post, which I think is a very accurate assessment of the situation. I'm just taking issue with the *situation*.

Last edited by slakmagik; 02-21-2005 at 11:31 PM.
 
Old 02-22-2005, 12:30 AM   #5
Dead Parrot
Senior Member
 
Registered: Mar 2004
Distribution: Debian GNU/kFreeBSD
Posts: 1,597

Rep: Reputation: 46
I cannot help but agreeing with digiot. I was just thinking that it is sysadmins who are usually better informed about possible security risks while desktop users are only beginning to realize that it's a dangerous www out there, so they are the ones who are more in need of protection. But that, indeed, is a poor excuse for Debian having less secure default settings than Ubuntu.

Here is some useful reading for anyone who wants to make their Debian (or Ubuntu) system more secure:
http://www.tldp.org/HOWTO/Security-HOWTO/
http://www.linuxsecurity.com/resourc.../index.en.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd Problem with 425 Security: Bad IP connecting elchui Linux - Newbie 8 07-29-2011 09:21 AM
Ubuntu, the good, the bad, and the ugly. From real users. R00ts Ubuntu 175 03-08-2006 06:14 AM
ubuntu, kernel panic and bad EIP value. Psychobiker Ubuntu 1 11-16-2005 02:01 PM
425 Security: Bad IP connecting mikeshn Linux - General 3 03-03-2004 09:37 AM
good but bad for security? DazeiHead General 3 07-17-2003 02:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian

All times are GMT -5. The time now is 05:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration