I just added a new, underprivileged "desktop user," and I was surprised to discover that it can see the files in my home folder.
What is the rational for setting up such lax permissions?
Ubuntu 21.04 and later releases have a secure default, see this blog article (archived link) linked by stackprotector in the comments section:
for new installations of Ubuntu 21.04, or for users created on a machine that has been upgraded to Ubuntu 21.04, home directories will be private by default.
However, the article implies that users created on Ubuntu < 21.04 will not be fixed automatically, even after applying security updates or upgrading to Ubuntu 21.04 or later. These users can be corrected by hand, with the following commands taken from the article.
To fix all existing users:
sudo chmod 750 /home/*
To fix the default for users that will be created in the future:
sudo sed -i s/DIR_MODE=0755/DIR_MODE=0750/ /etc/adduser.conf
echo "HOME_MODE 0750" | sudo tee -a /etc/login.defs
For Ubuntu < 21.04:
According to Mark Shuttleworth, Canonical's founder and CEO,
"The majority of users of Ubuntu systems either have exclusive use of the
machine (personal laptop) or are sharing with friends and relatives. We
assume that the people who share the machine are either trusted, or in a
position to hack the machine (boot from USB!) trivially. As a result,
there is little to no benefit"
... from removing those permissions.
