I must be doing something wrong.
I have created a second and third user in mate 20.04, a desktop user not an admin or a custom user, and that user is able to access other users home directories from the command line and even copy that users data, also able to access root as well, no password needed.
How come this is able to happen?
Have I messed something up when adding a new user?
Connect with the user that has this superpowers and show us output of :
┌─[✗]─[olek@lenovo_apbook04u]─[/home]
└──╼ $ whoami
olek
┌─[olek@lenovo_apbook04u]─[/home]
└──╼ $ sudo date
[sudo] password for olek:
jeu. 25 juin 2020 11:27:16 CEST
Next you can check groups that your user is member :
Hi,
Do not worry, please. You are doing correctly. The matter is that Ubuntu default permissions for home directories allow access for other users.
Manual page on useradd command reads, in particular:
You do not seem to have done anything wrong - what you seem to have discovered is a feature of Debian's multi-user mode. Ubuntu, and therefore Ubuntu-Mate, are based on Debian.
"10.2.1 Limit the access rights of others on your data
If you use Debian in “multi-user” mode, the data of the other users are readable by you, and yours too, by necessity. You may want to restrict the other users access rights to some of your data."
...
"The graphical procedure is easy to execute (no need to open a terminal):
right-click on the folder > properties > “Permissions”.
Select the “None” option for the “Others” access rights: A window will ask you if you want to apply these modifications to all the files and folders embedded within the concerned folder, and we advise you to accept, in order to protect the full set of data included inside this folder."
Applying this to Ubuntu-Mate,
open Caja (the file manager), in the left-hand pane select "File System", then in the main pain the "home" folders will appear for all users on the computer.
Right-click on the home folder of the user for whom you wish to restrict others access.
Select "Properties".
On the "Permissions" tab for the "Others" set Folder and File access to "None", and click on the button "Apply Permissions to Enclosed Files".