Ubuntu 21.04 sets the Home directory as private by default

by ·

The upcoming Ubuntu 21.04 will set the Home directory as private by default. The head of Ubuntu security technology Alex Murray explained the reason for this change. Traditional directory permissions (such as files) can be divided into 3 types: read, write, and execute. These permissions can be assigned to 3 types of users: owner, group, and others. “This allows a user to restrict access to files within a private directory to only their own user, or to allow access to public data to other users on the system on a directory-by-directory basis.” When a new user is created in the Ubuntu system, the permissions of its Home directory are by default allowing other users to share file access, with read and execute permissions, so multiple family members can share a PC and easily share files with each other. This default setting is an early choice of Ubuntu, but now it is the era of cloud computing and the Internet of Things. This default permission set for the Home directory is a security risk, so they decided to change to the private default setting in the new version.

Ubuntu 20.04 Unity

This change will not have any impact on many systems with only one primary user. Here is an affected case: Users running libvirt-based virtual machines store disk images in their Home directory. In this case, the virtual machine is running under the libvirt-qemu user, therefore, with the new permissions change, libvirt now cannot access any virtual machines stored in the user’s Home directory. To solve this problem, users can selectively access these files by using the access control list entry of the Home home directory, as shown below:
setfacl -m u:libvirt-qemu:rx $HOME
This command specifies that libvirt-qemu has the read and execute permissions of the user’s Home directory, so libvirt-qemu can view the name and content of any virtual machine image as needed.
Of course, you can also disable this feature after upgrading to Ubuntu 21.04. By default, to share access to the Home directory, just run the following command:

# make all existing home directories private
sudo chmod 750 /home/*

# ensure any users created by either the adduser(8) or useradd(8)
# commands have their home directories private by default
sudo sed -i s/DIR_MODE=0755/DIR_MODE=0750/ /etc/adduser.conf
echo “HOME_MODE 0750” | sudo tee -a /etc/login.defs

Tags: