# Disclosure agreement This issue will most likely be made publicly eventually. If you need to write contents that should not be disclosed ever, write it in an _internal note_. # Summary The `/root` directory has permissions `drwxr-xr-x`, i.e. it is world-readable, and so are a few files under it. ```sh amnesia@amnesia:~$ ls -la /root total 2 drwxr-xr-x 1 root root 60 Apr 13 14:48 . drwxr-xr-x 1 root root 160 Apr 13 14:48 .. -rw-r--r-- 1 root root 774 Apr 7 12:02 .bashrc drwx------ 2 root root 3 Apr 7 12:02 .cache drwxr-xr-x 3 root root 31 Apr 7 12:02 .config drwx------ 3 root root 180 Apr 13 14:48 .gnupg drwxr-xr-x 3 root root 28 Apr 7 12:02 .local -rw-r--r-- 1 root root 132 Mar 2 21:50 .profile drwx------ 2 root root 3 Apr 7 12:02 .ssh ``` FWIW it is also the case in Tails 4.0 (the oldest image I have on hand) from 2019. # To Do - [x] Set milestone to the upcoming release - We can fine-tune this later once we have assessed severity. - [x] Fill the _Summary_, _Impact_, and _Availability_ sections, so that: - We can assess the severity of this issue. - Our technical writers have the information they need to write release notes. - [x] Assess the severity of this issue according to our [Security issue response policy](https://tails.net/contribute/security_policy/) - [x] Have the severity assessment confirmed by another Tails Team member - [x] Track the next steps, according to our [Security issue response policy](https://tails.net/contribute/security_policy/) - The next steps depend on the severity of this issue. - For example: track when this issue can be disclosed, in a way that will survive this issue being closed and the corresponding MR being merged. - [x] [Decide](https://tails.net/contribute/working_together/roles/release_manager/#emergency-release) whether we will do an emergency release or document mitigation measures # Impact A user may use the `/root` directory and have implicit, unchecked expectations, that our current configuration does not meet. In that case, an adversary with unprivileged code execution within Tails can access files stored by the user in `/root` under the mistaken assumption they would be better protected than, say, in `/home/amnesia`. # Availability The attacker needs code execution as any user within Tails. # Details (How exactly can an attacker exploit this security issue.) # Possible fixes Make `/root` 0700 in `auto/build` and verify this propagates to a build. # Related documentation - [Security issue response policy](https://tails.net/contribute/security_policy/)