I just discovered this after years of using Ubuntu: every user account you have created on your Ubuntu computer (during installation or afterward) have Read and Execute permission to everything in the /home/ directory of EVERY users, by DEFAULT !!
(just type ll /home/ in a terminal and you'll see drwxr-xr-x !)
This is outrageous, it means that any user account could read every documents, every pictures, every-things of any user, even if that user is supposed to be protected by a password !!
This behavior should be fixed since release 21.04 but it DOES NOT FIX PREVIOUSLY CREATED USER ACCOUNTS !
How to fix
You can manually remove the read and execute permission for other users with this command :
sudo chmod 750 /home/*
And to fix the new account creation process, you have to do this too :
sudo sed -i s/DIR_MODE=0755/DIR_MODE=0750/ /etc/adduser.conf
echo "HOME_MODE 0750" | sudo tee -a /etc/login.defs
After that you should be good to go.
To make sure everything is working, just try to access the home directory of any other user (ex: ll /home/other_user_name_here/Documents/, it should say Permission denied.
More info & a personal note
The only explanation I could find for this unsafe and unintuitive default was :
This default was chosen in the early days of Ubuntu, to support use-cases like multiple family members sharing a single PC and wanting to easily share files with one another or within university environments to support easy collaboration.
But to me that's not a good excuse ! In the past, I might have created a "guest" account (with no password) on a laptop to let other peoples try Ubuntu... or I might have created an other user account on a personal computer to run apps or scripts that I did not trust, thinking it would be unable to access my personal files... WRONG !
