/root is world-readable

Disclosure agreement

This issue will most likely be made publicly eventually. If you need to write contents that should not be disclosed ever, write it in an internal note.

Summary

The /root directory has permissions drwxr-xr-x, i.e. it is world-readable, and so are a few files under it.

amnesia@amnesia:~$ ls -la /root
total 2
drwxr-xr-x 1 root root  60 Apr 13 14:48 .
drwxr-xr-x 1 root root 160 Apr 13 14:48 ..
-rw-r--r-- 1 root root 774 Apr  7 12:02 .bashrc
drwx------ 2 root root   3 Apr  7 12:02 .cache
drwxr-xr-x 3 root root  31 Apr  7 12:02 .config
drwx------ 3 root root 180 Apr 13 14:48 .gnupg
drwxr-xr-x 3 root root  28 Apr  7 12:02 .local
-rw-r--r-- 1 root root 132 Mar  2 21:50 .profile
drwx------ 2 root root   3 Apr  7 12:02 .ssh

FWIW it is also the case in Tails 4.0 (the oldest image I have on hand) from 2019.

To Do

  • Set milestone to the upcoming release
    • We can fine-tune this later once we have assessed severity.
  • Fill the Summary, Impact, and Availability sections, so that:
    • We can assess the severity of this issue.
    • Our technical writers have the information they need to write release notes.
  • Assess the severity of this issue according to our Security issue response policy
  • Have the severity assessment confirmed by another Tails Team member
  • Track the next steps, according to our Security issue response policy
    • The next steps depend on the severity of this issue.
    • For example: track when this issue can be disclosed, in a way that will survive this issue being closed and the corresponding MR being merged.
  • Decide whether we will do an emergency release or document mitigation measures

Impact

A user may use the /root directory and have implicit, unchecked expectations, that our current configuration does not meet. In that case, an adversary with unprivileged code execution within Tails can access files stored by the user in /root under the mistaken assumption they would be better protected than, say, in /home/amnesia.

Availability

The attacker needs code execution as any user within Tails.

Details

(How exactly can an attacker exploit this security issue.)

Possible fixes

Make /root 0700 in auto/build and verify this propagates to a build.

Related documentation

Edited by anonym