1

today I was testing something on my VPS and realized the "www-data" user has read access into Home folders and into System internal folders as well which would give an possible Attacker, the ability to gather Information outside of the /var/www directory e.g. RSA_Keys or batch Files in Home Directory's.

First I thought I faulted my File Permissions or something but I could reproduce this behavior on an fresh installed Virtual Machine.

OS: Ubuntu 20.04 LTS, with all Updates applied Webserver: Apache2 with standard config

How did I test: sudo -u www-data bash --> nano /home/user/stuff.txt or nano /folder/rsa.pem

Is this an expected Behavior? Do I miss something? And how can I deny the www-data User access to specific folders?

Thanks in advance!

MrAdmin
  • 11

1 Answers1

0

Golbally-readable /home directories is expected behavior in Ubuntu 20.10 and earlier releases.

The behavior has been changed in 21.04 and newer releases; /home directories are no longer globally readable.

  • New installs of 21.04 and newer get the new behavior.
  • New installs of 20.04 and older get the old behavior
  • Release upgrades do NOT change the behavior. If you release-upgrade from 20.04 to, say, 22.04, your /home dir will remain globally-readable

Back in the day, you wanted folks to be able to read (not write) to files in your directory. That's one way that you shared information on a multi-user system. Of course, you also knew better than to keep private data on a multi-user system.

From a security standpoint, it's still true: Servers should be treated as multi-user systems. Don't keep sensitive private documents 1) Unencrypted, and 2) On the same filesystem as a public webserver.

user535733
  • 62,253