Policies

Differences between revisions 34 and 35
Revision 34 as of 2021-02-01 00:43:34
Size: 5764
Editor: alexmurray
Comment: Update for private home dirs in >=hirsute
Revision 35 as of 2021-02-01 00:43:57
Size: 5692
Editor: alexmurray
Comment:
Deletions are marked like this. Additions are marked like this.
Line 47: Line 47:
  * More information can be found in the MultiUserManagement wiki page

Sudo by Default

* Sudo (including root password) policy

No Open Ports

Default installations of Ubuntu must have no listening network services after initial install. Exceptions to this rule on desktop systems include network infrastructure services such as a DHCP client and mDNS (Avahi/ZeroConf, see ZeroConfPolicySpec for implementation details and justification). For Ubuntu in the cloud, exceptions include network infrastructure services for the cloud and OpenSSH running with client public key and port access configured by the cloud provider. When installing Ubuntu Server, the administrator can, of course, select specific services to install beyond the defaults (e.g. Apache).

Local Network Privacy

For DHCP and mDNS to work fully, the local hostname is used when handling certain DHCP and mDNS actions. As such, the hostname of a system is not considered private information and is shared with the local network.

By default, user names are not available to the local network. However, they may become shared with the local network when various mDNS-announcement services are enabled (e.g. Rhythmbox Music Sharing, Remote Desktop, etc). As such, it is best to consider individual local user names as public, but the list of all users on a system as private. For this reason, any mechanisms that allow an unauthenticated remote way to query for a list of all local user names should be considered a security issue.

Reasonable Physical Access

While every attempt is made to securely isolate physically local users of a shared computer from one another, the stock Ubuntu installation is not intended to block an attacker with physical access. If this is a priority for your system, it is recommended that you take advantage of hard drive encryption, BIOS passwords, and other mechanisms designed to increase physical access security.

By default, Ubuntu's root user does not have a password. As a result, the "safe" and "recovery" modes (which require console access) will allow root to log in without a password. Since these systems use "sulogin", once a root password has been set, these modes will require the root password to start up. If this is desired, set a password with "sudo passwd root".

Unlimited Local Resource Utilization

The default Ubuntu configuration is designed to handle multiple users sharing resources. Because of this, it is possible for a single user to accidentally (or intentionally) use up all of a shared resource (e.g. CPU time, memory, hard drive space). A common example of this is a "fork-bomb", or filling all available disk space. If resource limits are a priority for your system, please investigate using ulimits and disk quotas to help limit resource over-usage.

Home Directory Access

Historically, Ubuntu was designed to allow users to easily share files and help each other (see bug 48734). To support this, each user's default home directory was readable by all other users. Private files could be kept in a "Private" sub-directory, where access permissions can be set to limit access by other users (mode 0700 or 0750). Since Ubuntu 21.04, this has been changed to instead make home directories private by default.

Execute-Permission Bit Required

  • Applications, including desktops and shells, must not run executable code from files when they are both:
    • lacking the executable bit
    • located in a user's home directory or temporary directory.
  • The GNOME or KDE MIME type handlers must not circumvent this principle.
  • This includes *.desktop, *.jar, and *.exe files.

    • Look for .desktop files with MimeType= and Exec= lines that do not use "cautious-launcher"

  • Nothing may provide a workaround to run them anyway automatically - i. e., never juxtapose <long explanatory text> with <easy button that bypasses the text>

  • Files downloaded from a web browser, mail client, etc. must never be saved as executable.
  • Files including executable elements (macros) aren't considered executable for this policy. Normal security policies should apply to those kinds of files (i.e. not being able to impact filesystem, etc).

Implementation Details

  • The error message when trying to open an executable file must:
    • explain why this may be a dangerous file
    • not give the option of launching it anyway
  • The error message when trying to open an executable file should:
    • give the option of looking for trusted software instead
    • link to a web page that has more details

  • CDs without Rock Ridge extensions have all files marked executable, so this policy doesn't apply (same with USB sticks).

Future Work

  • Programs that download executables from the Internet should mark them with extended attributes saying where they're from, when, and what user, as well as not marked +x

Drafts

  • None currently

Tech Board Ratifications


CategorySecurityTeam

SecurityTeam/Policies (last edited 2021-02-01 00:43:57 by alexmurray)