From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id ADB4C15815E for ; Sun, 11 Feb 2024 10:12:01 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BA37EE2A3C; Sun, 11 Feb 2024 10:11:57 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 665ABE2A1B for ; Sun, 11 Feb 2024 10:11:57 +0000 (UTC) References: User-agent: mu4e 1.10.8; emacs 30.0.50 From: Sam James To: gentoo-dev@lists.gentoo.org Cc: Michael Vetter Subject: Re: [gentoo-dev] RFC: Setting default HOME_MODE in /etc/login.defs Date: Sun, 11 Feb 2024 10:10:13 +0000 Organization: Gentoo In-reply-to: Message-ID: <871q9jqphy.fsf@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Archives-Salt: 27321e56-dd78-41f9-bfab-088db3cd0da9 X-Archives-Hash: 6d0934c157fb986bd9e6cec95bf2aad2 --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Daniel Simionato writes: > Hello, > I'd like to start a discussion regarding setting HOME_MODE by default in= the /etc/login.defs file (owned by > sys-apps/shadow package). > > Upstream keeps HOME_MODE commented: > https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c2846= 8e33a4529d5/etc/login.defs#L207 > > HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set,= they will use the specified permission when > creating a user home directory, otherwise the default UMASK will be used. > Since the default umask is 022, keeping HOME_MODE unset will result in ho= me readable home directories created by useradd, > which goes against security best practices. > > The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH= based distros, OpenSuse, ArchLinux all set it > to 0700, Ubuntu has it at 0750. Debian and Gentoo are two exceptions, kee= ping the upstream value of HOME_MODE (although > login.defs is changed in other ways). > > I previously made a PR on github where you can find more details (https:/= /github.com/gentoo/gentoo/pull/35231), but as > pointed in the comments this probably warrants some discussion beforehand. > > I can understand the argument against the change, which is keeping in syn= c with upstream and don't risk changing the > historic default behaviour of tools some users might rely upon. > > I do believe though there's merit in providing safer and secure defaults,= so I would like HOME_MODE to have a safe > default value for Gentoo and Gentoo based distros. I'm in favour, although I'd be curious as to why upstream shadow don't just set it. It would be interesting to see if the discussion already happened there at some point (surely it has?) and find out their reasoning. (But that's not a blocker for proceeding.) I want to hear more opinions first though. Thanks for raising this, it's been in the back of my head. > > Have a nice day, > Daniel=20 best, sam --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iOUEARYKAI0WIQQlpruI3Zt2TGtVQcJzhAn1IN+RkAUCZcidaV8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MjVB NkJCODhERDlCNzY0QzZCNTU0MUMyNzM4NDA5RjUyMERGOTE5MA8cc2FtQGdlbnRv by5vcmcACgkQc4QJ9SDfkZB3LAEAuKX597HDie1aZLFvNG5pN3aCN0QpJ56qDXtG zBgCb+ABAKgGgxovPPOB9Q/Zh/08SNCKkKFK0lZ1aDRxxaoz+9MH =G7E8 -----END PGP SIGNATURE----- --=-=-=--