Full Disclosure mailing list archives

Re: Scope of Debian's /home/loser is with permissions 755, default umask 002

From: Pim van Stam <pim () svsnet nl>
Date: Fri, 13 Nov 2020 10:38:54 +0100

On 12 Nov 2020, at 12:26, Georgi Guninski <gguninski () gmail com> wrote:

On Debian /home/loser is with permissions 755, default umask 0022

(If you don't understand the numbers, this means a lot of
files are world readable).

On multiuser machines this sucks much.

Question: How much sensitive data can be read on default install?


Nothing or everything, depends on how you see it.
On default install there is only 1 active user, which is the person installing the system.
This person can see everything (is part of sudo group). The rest of the world can see nothing.

Then, and that is important, the person installing must know how to secure.
If you want to have multiple normal users and services, like web- and mailservices, you have to take extra care on 
securing the system.

Things like setting the rights, acl’s, sticky bits, etc are topics for linux beginners training!
Do take time to secure a system (any system).


Partial results:

1. mutt (text email client) exposes ~/.mutt/muttrc,
which might contain the imap password in plaintext.


should be 0700 / 0600


2. Some time ago on a multiuser debian mirror we found a lot of data,
including the wordpress password of the admin.


Too many times a see the www directory structure as 777, 775 or 755, where 700 or 750 is also working.


3. Anything created by EDITOR NEWFILE is readable, unless the directory
prevents. This include root doing EDITOR /etc/NEWFILE


So ?

Debian said won't fix:
https://www.openwall.com/lists/oss-security/2020/10/07/4


For most systems that’s ok, when having aware users (with clue)
For systems with unaware (clueless) people you have to do more system management. But that’s a general thing in my 
opinion.

Best regards,

Pim van Stam

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Scope of Debian's /home/loser is with permissions 755, default umask 002 Georgi Guninski (Nov 12)
- Re: Scope of Debian's /home/loser is with permissions 755, default umask 002 bo0od (Nov 15)
- Re: Scope of Debian's /home/loser is with permissions 755, default umask 002 Pim van Stam (Nov 15)