On 2/10/24 11:57 AM, Daniel Simionato wrote: > Hello, > I'd like to start a discussion regarding setting HOME_MODE by default in > the /etc/login.defs file (owned by sys-apps/shadow package). > > Upstream keeps HOME_MODE commented: > https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207 > > HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set, > they will use the specified permission when creating a user home directory, > otherwise the default UMASK will be used. > Since the default umask is 022, keeping HOME_MODE unset will result in home > readable home directories created by useradd, which goes against security > best practices. > > The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH > based distros, OpenSuse, ArchLinux all set it to 0700, Ubuntu has it at > 0750. Debian and Gentoo are two exceptions, keeping the upstream value of > HOME_MODE (although login.defs is changed in other ways). > > I previously made a PR on github where you can find more details ( > https://github.com/gentoo/gentoo/pull/35231), but as pointed in the > comments this probably warrants some discussion beforehand. > > I can understand the argument against the change, which is keeping in sync > with upstream and don't risk changing the historic default behaviour of > tools some users might rely upon. As a config file, I think we can feel fine changing the defaults without worrying about diverging from upstream, and sticking to worrying "is this a good config value for us". As far as the actual change goes... Arguments in favor of keeping the existing default: - "someone might be relying on it" - security-sensitive software often sets a heavily restricted value for this purpose already, e.g. ssh / gnupg - sometimes it is necessary for other users to see your files, classic example being ~/public_html Arguments in favor of changing the default: - managing files that should be private by changing their permissions is tiresome, and not all private files are managed by "security-sensitive software". If you're writing the next Great American Novel in libreoffice on a shared user system, did you *know* you'd need to protect it from your arch-enemy who hopes to read your homedir and sell your novel instead of you? - You can manage ~/public_html by using setfacl to give apache read access to your entire home directory without granting it to everyone. You're still vulnerable to complete information leakage of your home directory to the apache user, but not also to the aforementioned arch-enemy Regarding which default to change to: - someone who added another account to their user group probably did so with the expectation that they'd be sharing files with that other account, and 700 mode in particular feels like going against that > I do believe though there's merit in providing safer and secure defaults, > so I would like HOME_MODE to have a safe default value for Gentoo and > Gentoo based distros. > > Have a nice day, > Daniel > -- Eli Schwartz