From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 3150A15815E for ; Sun, 11 Feb 2024 10:10:14 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6ADA4E2A33; Sun, 11 Feb 2024 10:10:09 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E3768E2A28 for ; Sun, 11 Feb 2024 10:10:08 +0000 (UTC) References: <5d9776b3cea5c060ba73491a771f9736f255100d.camel@gentoo.org> User-agent: mu4e 1.10.8; emacs 30.0.50 From: Sam James To: gentoo-dev@lists.gentoo.org Cc: mgorny@gentoo.org, chewi@gentoo.org Subject: Re: [gentoo-dev] RFC: Setting default HOME_MODE in /etc/login.defs Date: Sun, 11 Feb 2024 10:06:49 +0000 Organization: Gentoo In-reply-to: <5d9776b3cea5c060ba73491a771f9736f255100d.camel@gentoo.org> Message-ID: <878r3rqpkz.fsf@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Archives-Salt: 90ac258e-b480-444b-a588-265bb710a8fe X-Archives-Hash: 3cbf40f28907a8eb3d3ee59a9a2ca47c --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Michael Orlitzky writes: > On Sat, 2024-02-10 at 17:57 +0100, Daniel Simionato wrote: >> Hello, >> I'd like to start a discussion regarding setting HOME_MODE by default in >> the /etc/login.defs file (owned by sys-apps/shadow package). >>=20 >> Upstream keeps HOME_MODE commented: >> https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c284= 68e33a4529d5/etc/login.defs#L207 >>=20 >> HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set, >> they will use the specified permission when creating a user home directo= ry, >> otherwise the default UMASK will be used. >> Since the default umask is 022, keeping HOME_MODE unset will result in h= ome >> readable home direct > > umask 022 is also egregious, changing it to 027 would kill two birds. > But in lieu of that, yes. mgorny wrote in favour of this 13 years ago too: https://blogs.gentoo.org/mgorny/2011/10/18/027-umask-a-compromise-between-s= ecurity-and-simplicity/. It would be a bigger change and require us to do a lot of daily-driver testing first though. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iOUEARYKAI0WIQQlpruI3Zt2TGtVQcJzhAn1IN+RkAUCZcic/F8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MjVB NkJCODhERDlCNzY0QzZCNTU0MUMyNzM4NDA5RjUyMERGOTE5MA8cc2FtQGdlbnRv by5vcmcACgkQc4QJ9SDfkZAGCAEA5GJbnLk+JAcUElrpO1K9e1l5cDXfo5/J4X+Z IsbKOKwA+wdOtHkhXfSGmNvCfw2onxuDh/a8kK6FnieA8/6uMzQA =OUKe -----END PGP SIGNATURE----- --=-=-=--