Re: [gentoo-dev] RFC: Setting default HOME_MODE in /etc/login.defs

[Eli Schwartz <eschwartz93@gmail.com>]

[-- Attachment #1.1.1: Type: text/plain, Size: 3186 bytes --]

On 2/10/24 11:57 AM, Daniel Simionato wrote:
> Hello,
>  I'd like to start a discussion regarding setting HOME_MODE by default in
> the /etc/login.defs file (owned by sys-apps/shadow package).
> 
> Upstream keeps HOME_MODE commented:
> https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207
> 
> HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set,
> they will use the specified permission when creating a user home directory,
> otherwise the default UMASK will be used.
> Since the default umask is 022, keeping HOME_MODE unset will result in home
> readable home directories created by useradd, which goes against security
> best practices.
> 
> The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH
> based distros, OpenSuse, ArchLinux all set it to 0700, Ubuntu has it at
> 0750. Debian and Gentoo are two exceptions, keeping the upstream value of
> HOME_MODE (although login.defs is changed in other ways).
> 
> I previously made a PR on github where you can find more details (
> https://github.com/gentoo/gentoo/pull/35231), but as pointed in the
> comments this probably warrants some discussion beforehand.
> 
> I can understand the argument against the change, which is keeping in sync
> with upstream and don't risk changing the historic default behaviour of
> tools some users might rely upon.


As a config file, I think we can feel fine changing the defaults without
worrying about diverging from upstream, and sticking to worrying "is
this a good config value for us".

As far as the actual change goes...

Arguments in favor of keeping the existing default:

- "someone might be relying on it"
- security-sensitive software often sets a heavily restricted value for
  this purpose already, e.g. ssh / gnupg
- sometimes it is necessary for other users to see your files, classic
  example being ~/public_html


Arguments in favor of changing the default:

- managing files that should be private by changing their permissions is
  tiresome, and not all private files are managed by "security-sensitive
  software". If you're writing the next Great American Novel in
  libreoffice on a shared user system, did you *know* you'd need to
  protect it from your arch-enemy who hopes to read your homedir and
  sell your novel instead of you?
- You can manage ~/public_html by using setfacl to give apache read
  access to your entire home directory without granting it to everyone.
  You're still vulnerable to complete information leakage of your home
  directory to the apache user, but not also to the aforementioned
  arch-enemy


Regarding which default to change to:

- someone who added another account to their user group probably did so
  with the expectation that they'd be sharing files with that other
  account, and 700 mode in particular feels like going against that


> I do believe though there's merit in providing safer and secure defaults,
> so I would like HOME_MODE to have a safe default value for Gentoo and
> Gentoo based distros.
> 
> Have a nice day,
>  Daniel
> 

-- 
Eli Schwartz

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 18399 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]