Monthly Archives: May 2009

adam_03may2009.plan

Leave a reply

I decided I would begin updating this again, if for no other reason than it helps to organize thoughts 😛

Nothing big this time, just thought this random musing on Ubuntu privacy would interest someone.

So Ubuntu 8.04 and above gives you a Private directory by default. It is an encrypted directory that is only mounted and decrypted when you log in, which makes it ideal for storing things you don’t want other users to see.

But it’s not as private as it might seem right off the bat. If you are logged in, and thus the directory is mounted and decrypted, any other user logged in at that time can simply navigate to it and browse it’s contents!

This isn’t really a security hole or anything, it’s just how it is designed. The real problem lays with Ubuntu’s default permissions for user’s home directories.

Let me restate the problem so it’s clear: a Private directory should not be able to be browsed at all by other users. It’s nice that it is encrypted which protected it from many kinds of prying most of the time, but still, I don’t want people to be able to snoop in it ever!

So the fix is simple, when in your user home directory:
chmod 700 Private

Now ONLY someone logged in as you may browse your Private directory. period. But this got me to thinking, and I wanted to take this a step further. It seemed to me, that it didn’t make sense that ANYONE could browse my entire user home directory. So next I restricted my entire user directory in a similar fasion, while sitting in: /home I did:
chmod 700 myUser

Which *worked* but gave me the predictable result that now the public_html directory in my user directory was now inaccessible to Apache :/

Clearly not acceptable. But the fix is easy. First, make sure your public_html directory in your user folder is part of apache’s group, on my system that is www-data:
While in your user directory: /home/myUser do:
chown myUser:www-data public_html

And make sure it’s permissions are: 755
Then, go to the home directory: /home and make your user ditectory part of the www-data group:
chown myUser:www-data myUser

And finally, make sure your user directory has 750 permissions:
chmod 750 myUser

And now your entire user directory is only readable to you and Apache, your public_html directory is still good to go. And your Private directory is completely locked down to JUST you. Privacy catastrophe averted! Or something like that 😛

Hopefully I’ll have more interesting things to write about as I go forward here!

– Adam