Policies

Revision 26 as of 2010-01-14 21:20:07

Clear message

Sudo by Default

* Sudo (including root password) policy

No Open Ports

Default installations of Ubuntu must have no listening network services after initial install. Exceptions to this rule include network infrastructure services such as the DHCP client and mDNS (Avahi/ZeroConf, see ZeroConfPolicySpec for implementation details and justification). When installing Ubuntu Server, the administrator can, of course, select specific services to install beyond the defaults (e.g. Apache).

Local Network Privacy

For DHCP and mDNS to work fully, the local hostname is used when handling certain DHCP and mDNS actions. As such, the hostname of a system is not considered private information and is shared with the local network.

By default, user names are not available to the local network. However, they may become shared with the local network when various mDNS-announcement services are enabled (e.g. Rhythmbox Music Sharing, Remote Desktop, etc). As such, it is best to consider individual local user names as public, but the list of all users on a system as private. For this reason, any mechanisms that allow an unauthenticated remote way to query for a list of all local user names should be considered a security issue.

Reasonable Physical Access

While every attempt is made to securely isolate physically local users of a shared computer from one another, the stock Ubuntu installation is not intended to block an attacker with physical access. If this is a priority for your system, it is recommended that you take advantage of hard drive encryption, BIOS passwords, and other mechanisms designed to increase physical access security.

By default, Ubuntu's root user does not have a password. As a result, the "safe" and "recovery" modes (which require console access) will allow root to log in without a password. Since these systems use "sulogin", once a root password has been set, these modes will require the root password to start up. If this is desired, set a password with "sudo passwd root".

Unlimited Local Resource Utilization

The default Ubuntu configuration is designed to handle multiple users sharing resources. Because of this, it is possible for a single user to accidentally (or intentionally) use up all of a shared resource (e.g. CPU time, memory, hard drive space). A common example of this is a "fork-bomb", or filling all available disk space. If resource limits are a priority for your system, please investigate using ulimits and disk quotas to help limit resource over-usage.

Permissive Home Directory Access

By default, Ubuntu is designed to allow users to easily share files and help each other (see bug 48734). To support this, each user's default home directory is readable by all other users. Private files could be kept in the "Private" sub-directory, where access permissions can be set to limit access by other users (mode 0700). If restrictive home directory permissions are a priority for your system, please investigate the /etc/adduser.conf file for adjusting various settings when creating new users, including the default permission mask for newly created home directories.

Execute-Permission Bit Required

  • Applications, including desktops and shells, must not run executable code from files when they are both:
    • lacking the executable bit
    • located in a user's home directory or temporary directory.
  • The GNOME or KDE MIME type handlers must not circumvent this principle.

  • This includes *.desktop, *.jar, and *.exe files.

  • Nothing may provide a workaround to run them anyway automatically - i. e., never juxtapose <long explanatory text> with <easy button that bypasses the text>

  • Files downloaded from a web browser, mail client, etc. must never be saved as executable.
  • Files including executable elements (macros) aren't considered executable for this policy. Normal security policies should apply to those kinds of files (i.e. not being able to impact filesystem, etc).

Implementation Details

  • The error message when trying to open an executable file must:
    • explain why this may be a dangerous file
    • not give the option of launching it anyway
  • The error message when trying to open an executable file should:
    • give the option of looking for trusted software instead

    • link to a web page that has more details

  • CDs without Rock Ridge extensions have all files marked executable, so this policy doesn't apply (same with USB sticks).

Future Work

  • Programs that download executables from the Internet should mark them with extended attributes saying where they're from, when, and what user, as well as not marked +x

Drafts

  • None currently

Tech Board Ratifications

CategorySecurityTeam