SecureHome

NOTE: This page is part of the Ubuntu Specification process. Please check the status and details in Launchpad before editing. If the spec is Approved then you should contact the Assignee, or another knowledgeable person, before making changes.

Summary

This specification aims to move Ubuntu to a secure home directory format, where the contents of $HOME are only accessible by the owner. We give a Shared Documents home for sharing document

Rationale

All user created files are currently readable by all other users, which may be a problem. Although most sensitive information such as e-mail is chmod()ed properly by the application, some sensitive information may be in documents or text files that are left world-readable; for example, ~/.tomboy/ and all contained notes are world-readable. Users' documents should only be shared with other users explicitly; it should still be possible to do such sharing.

Use cases

This is general document security; but for the sake of argument we will list several.

  • Alice copies her PGP private key from another computer, using a VFAT formatted USB drive. She places it in $HOME and then imports it via GPG. The copy in $HOME is world-readable; but her $HOME is mode 700 and files within it cannot be reached anyway.

  • Bob has entered the passwords for a few Web site accounts into Tomboy. $HOME/.tomboy/3116be58-9124-4641-9743-b43537553efe.note is mode 644, but $HOME can't be executed and so $HOME/.tomboy can't be accessed.

  • Keybuk wants pitti to grab a patch from off the shell server. He places it in Shared Documents so pitti can access it.

Scope

The scope is all existing and new Ubuntu installations. Upgrades will be handled by applying the proper permission to each user's $HOME including root.

Design

  • Every $HOME directory connected to a user considered a log-in user (those showing up in Users and Groups, including root) will be set to mode 0700.

  • A directory, /home/.shared, will be created. No user ".shared" may be created. (Unix user names should not start with period).

    • /home/.shared will be mode 01777

    • GNOME will show a Shared Documents below Home in all lists of places; this will link to /home/.shared.

    • KDE will show a Shared Folder item below system:/ and the System Menu Kicker applet which mirrors system:/ (I presume) will also contain this entry.
  • The umask is kept as 0022 so that files in /home/.shared will be world-readable.

Implementation

An upgrade script, some modifications to GNOME.

Code

Data preservation and migration

See first point of Unresolved Issues below.

Unresolved issues

  • Some users may be relying on shared $HOME already. There needs to be a "Secure files in my Home so other users can't access them" checkbox somewhere.

  • You only mention GNOME. What about KDE and Kubuntu?
    • I don't use KDE and thus neither know nor care what the file selector looks like; this is not a difficult problem, I'm sure you can find someone who both cares and can implement it. Drop a symlink in ~/Desktop/ if all else fails. --JohnMoser

      • Whoa there, be nicer towards others' feelings. Would you like it if I say, that I don't use GNOME and thus don't care what GNOME looks like, and that in fact I dislike GNOME? No. So I should not say so, and you should not, either. It's against the Ubuntu code of conduct. -- Jamadagni
        • That's the general attitude I get on IRC from people using KDE; I've figured out that I really don't care and it's not necessary to get things done as long as you've got people from both sides. How did it go? "You may not like him, you may downright hate him, you may think he's the biggest idiot in the world; but he's your captain and you'll damn well do what he says." --JohnMoser

  • If we care about this then the users are probably on the same physical machine. This means they're probably physically accessing it and can LiveCD around this. I believe EncFS has a PAM module we can use; but this has its own issues (forgetting your password is FATAL).
    • True enough, but still useful. It's likely that many Ubuntu end-users won't realize that's possible.
  • Perhaps this page (and the spec) should be renamed "SecureHomePermissions" to emphasize that it has nothing to do with encryption.

    • Possibly. I was thinking secure as in run-time secure, which encryption has nothing to do with. Encryption is pretty much useful for breaking the "physical access == owned" concept. --JohnMoser

BoF agenda and discussion


CategorySpec

SecureHome (last edited 2008-08-06 16:23:00 by localhost)