Ubuntu has evolved a lot since its early beginnings as an easier-to-use derivative of Debian that catered primarily to the nascent Linux desktop market. Today Ubuntu is deployed beyond just your laptops at home and in the office. Nowadays you are more likely to find Ubuntu in the cloud, powering some of the world’s best known enterprises and running on various IoT devices out in the field. With this shift in adoption has come many different technical challenges and trade-offs due to the competing demands of each of these environments. One such challenge that is always front-of-mind for Ubuntu developers is the tension between security and usability. With an early and continued focus on both usability and security, Ubuntu has prided itself on being the go-to choice for both users and developers. The choice of appropriate sensible defaults lets users be productive without having to fight against their operating system.
In modern environments, strong security is paramount. This is best achieved through a defense-in-depth approach, where multiple controls and elements are used to achieve a more resilient solution. For Ubuntu, this has always been a priority and has led to the creation of various default security features. These include no open network ports by default, automatic security updates, enablement of security controls like AppArmor and snaps for seamless application sandboxing, and the use of a wide range of compiler hardening features ensure that Ubuntu provides not only a high degree of usability, but a very strong security posture out-of-the-box.
One particular security/usability trade-off that has often been cited over the years is the choice of default permissions for the user’s home directory. At a high level, traditional directory permissions (like files) are broken down into 3 types (read, write and execute) and these can be assigned independently for 3 categories of users (owner, group and others). This allows a user to restrict access to files within a private directory to only their own user, or to allow access to public data to other users on the system on a directory-by-directory basis. When creating a new user for Ubuntu (whether during the installation process or after) their home directory will be created with a default set of permissions – and traditionally this has been chosen to enable shared access to files within home directories by enabling both read and execute permissions for other users. This default was chosen in the early days of Ubuntu, to support use-cases like multiple family members sharing a single PC and wanting to easily share files with one another or within university environments to support easy collaboration. The addition of per-user home directory encryption was also provided during this time, to provide privacy for those users who required it. However, as alluded to earlier, these use-cases for Ubuntu are perhaps now a bit quaint when considered in the modern era of cloud computing and IoT which have very different requirements and security exposure. With this in mind, for the forthcoming Ubuntu 21.04 release we have decided to switch to a more private default, so that for new installations of Ubuntu 21.04, or for users created on a machine that has been upgraded to Ubuntu 21.04, home directories will be private by default.
For a lot of systems that have only one primary user, this change may not appear to have a huge impact. However, whilst these machines may have only one human user, they likely have other user accounts already on them which are created by various system services. This change now means that in the future if an attacker were to exploit some previously unknown vulnerability in a given system service that is running as a separate user, they would then not be able to access the data of any other user (both human or system service) on the system. This provides a more secure out-of-the-box experience for users and system administrators.
There may be some existing use-cases that are affected by this change – for example, a user running libvirt based virtual machines who stores the disk images within their home directory. In this case, the virtual machines run under the libvirt-qemu user and so with this new permission change, any virtual machines stored within the user’s home directory are now not able to be accessed by libvirt. To resolve this, a user can give selective access to these files via the use of an appropriate access control list entry for their home directory as follows:
setfacl -m u:libvirt-qemu:rx $HOME
This specifies that the libvirt-qemu user should have read and execute permission for the home directory of the user – which allows libvirt-qemu to see the names and contents of any virtual machine images as required.
If you wish to try this out now, you can also make the same changes for an existing Ubuntu installation so that any existing or newly created home directories private by default:
# make all existing home directories private
sudo chmod 750 /home/*
# ensure any users created by either the adduser(8) or useradd(8)
# commands have their home directories private by default
sudo sed -i s/DIR_MODE=0755/DIR_MODE=0750/ /etc/adduser.conf
echo "HOME_MODE 0750" | sudo tee -a /etc/login.defs
Conversely, if you wish to disable this feature once you are running Ubuntu 21.04 and return to having shared access to home directories by default, simply run the following commands:
# change adduser(8) to enable permissive home directory permissions
sudo dpkg-reconfigure adduser
# and ensure useradd also follows suit
sudo sed -i 's/^\(HOME_MODE\s\+0750\)/#\1/' /etc/login.defs
This is just one small example of how Ubuntu offers both a high degree of usability and security by default, and how we continue to evolve this balance over time. If you wish to provide feedback on this feature, please come join the discussion with the Ubuntu community over on the Ubuntu Discourse.