security problems with incorrect permissions for ubuntu 17.10

Hell User2233, this is an intentional design choice to enable users to share with each other. If this isn't appropriate for your environment you can modify the DIR_MODE variable in /etc/adduser.conf to set the permissions as desired.

https://help.ubuntu.com/lts/serverguide/user-management.html#user-profile-security

Thanks for reporting this issue, don't hesitate to report future issues.

Hello Seth, thank you for your answer.
It is so strange. As far as I know it was done so all users could access ~/Public directory and this does not apply to the directories like .config and .local which could contain private information and application settings.
~/.cache folder still contains 700.
I had correct permissions for those folders before (for example 14.04, 16.04):
/home
----/user1 (755)
--------/Public (755)
--------/.config (700)
--------/.local (700)
--------/.cache (700)
In normal circumstances .config and .local folders will be created by xdg-user-dirs-update utility with 700 permissions. Is it possible that xdg utility doesn't execute correct?

Oh, that's an interesting possibility. Thanks.

On Ubuntu MATE 17.10 I can confirm ~/.config is drwxr-xr-x
However with a new user ~/.cache is drwxrwxr-x and ~/.local is drwx------

This is definitely a regression compared to previous releases and needs investigation.

I can reproduce this issue with the 17.10 desktop installer.

With the 17.04 installer, only .local seems to be affected.

Looks like 16.04 is unaffected.

Here is one:
http://bazaar.launchpad.net/~ubuntu-desktop/session-migration/trunk/view/head:/src/session-migration.c#L270

Here's another:
https://git.gnome.org/browse/dconf/tree/service/dconf-gvdb-utils.c#n177
https://git.gnome.org/browse/dconf/tree/service/dconf-keyfile-writer.c#n210

and another:
https://git.gnome.org/browse/gnome-session/tree/gnome-session/gsm-util.c?h=gnome-3-26#n99

Didier, could you have a look to the session-migration part of the issue?

Sure, will have a look on the directory creation permission

This bug was fixed in the package session-migration - 0.3.3

---------------
session-migration (0.3.3) bionic; urgency=medium

  * src/session-migration.c:
    fix default permission when creating unexisting parent directories
    to be 700. (LP: #1735929)

 -- Didier Roche <email address hidden> Tue, 23 Jan 2018 10:31:30 +0100

Related bug in ubuntu-mate-welcome: bug 1745929

Any further progress on these issues?

d-conf (0.26.0-2ubuntu3) bionic; urgency=medium

  * 0001-Don-t-create-the-user-config-dir-as-world-readable.patch:
    - create the config dir with permissions 700 so it's not world readable
      (lp: #1735929)

 -- Sebastien Bacher <email address hidden> Thu, 29 Mar 2018 11:01:28 +0200

uh !! bionic-proposed is already at 0.26.1-3ubuntu2

so 0.26.0-2ubuntu3 is supposed to be uploaded to Artful archive , not bionic.

No, that was "dconf" (rename) and that never migrated to bionic due to armhf autopkgtest issues, I deleted that version to land that fix, the update can be uploaded again if someone figures out the test issues

Yeah but that tweak is quite dirty: try to downgrade from 0.26.1-3ubuntu2 to 0.26.0-2ubuntu3, and you are proposed to remove half of the packages list.

Maybe set the proposed version higher than the previous proposed one to bypass that issue.

dino99, we can't easily just set the version higher since the autopkgtest issue is triggered by 0.26.1 and higher versions.

http://autopkgtest.ubuntu.com/packages/n/notify-osd/bionic/armhf

Also, this is why I try suggesting really strongly to you guys not to run -proposed during the development cycle because these kind of removals happen.

(Maybe you just need to make sure you downgrade all the dconf binary packages at the same time.)

Next proposal:

rename to 0.26.1-3ubuntu3+isreally+0.26.0-2ubuntu3

This bug was fixed in the package d-conf - 0.26.0-2ubuntu3

---------------
d-conf (0.26.0-2ubuntu3) bionic; urgency=medium

  * 0001-Don-t-create-the-user-config-dir-as-world-readable.patch:
    - create the config dir with permissions 700 so it's not world readable
      (lp: #1735929)

 -- Sebastien Bacher <email address hidden> Thu, 29 Mar 2018 11:01:28 +0200

The weird version is no-go, bionic-proposed is not supposed to be used, it's a pocket designed for packages testing and validation, if you opt in for that you should know what you are doing. It's easy enough to go back, just install dconf-server/bionic libdconf1/bionic etc for all the dconf binaries you need

Change attached to the upstream bug

This bug was fixed in the package gnome-session - 3.28.1-0ubuntu1

---------------
gnome-session (3.28.1-0ubuntu1) bionic; urgency=medium

  * New upstream release
    - Don't create ~/.config as world-readable. (LP: #1735929)
  * Drop xsmp-don-t-check-for-HAVE_XTRANS.patch: Applied in new release

 -- Jeremy Bicha <email address hidden> Tue, 10 Apr 2018 10:09:40 -0400

Is there anything left to land here? I just installed the 2018-04-13 desktop iso, and while ~/.config has correct permissions, ~/.local does not.

Here's another:

https://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/common/xf86Helper.c#n1136

Hello.

On 16.04 LTS (16.04.4) Release it looks this way:

[~]$ ls -ld .config/
drwxr-xr-x 24 user1 user1 4096 apr 14 18:21 .config/

[~]$ ls -ld .local/
drwx------ 3 user1 user1 4096 apr 30 2017 .local/

Thanks.

Hi daniel,

I wasn't able to reproduce with 16.04. Did you install the regular Ubuntu desktop, or a specific flavour?

Hi Marc.

I apologize for not mentioning a release type. It's Xubuntu 16.04 LTS. For now, I have no access to my other computer with Ubuntu 16.04 LTS so I can not verify this issue. Sorry.

Is it a problem, that incorrect permission - in this case - are in Xubuntu and not in Ubuntu? Will it be fixed?

Thanks and I apologize once again.

This bug was fixed in the package xorg-server - 2:1.19.6-1ubuntu4

---------------
xorg-server (2:1.19.6-1ubuntu4) bionic; urgency=medium

  * debian/patches/fix-default-permissions.patch: fix default permissions
    when creating the log directory. (LP: #1735929)

 -- Marc Deslauriers <email address hidden> Fri, 13 Apr 2018 11:31:45 -0400

I tested the 2018-04-21 daily image, and the permissions on ~/.config and ~/.local are OK now.