From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-101208-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 24D0715808B
	for <garchives@archives.gentoo.org>; Tue, 13 Feb 2024 20:01:26 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 2FECCE2A27;
	Tue, 13 Feb 2024 20:01:22 +0000 (UTC)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 019CFE2A12
	for <gentoo-dev@lists.gentoo.org>; Tue, 13 Feb 2024 20:01:21 +0000 (UTC)
Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-561f8b8c058so207326a12.0
        for <gentoo-dev@lists.gentoo.org>; Tue, 13 Feb 2024 12:01:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1707854480; x=1708459280; darn=lists.gentoo.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=n8Ob5pLDX7gbjZcc1HjQU/IWPoeK+dtMTTKUl4+Y8hI=;
        b=S+c+/0X1C4HC7kYl3PBZ4IEQmmcMlfiyFahViOxV8IPrd121CSbPVZ6mSpW/sYke4R
         6S6QL61hbzQvhqG4dAQkPL9GuIBLPigmnENSIzhkLWU4A3nTyEEpDy7WnxoSvhq9dce5
         wtN/SrU21FgYZJbd8oGt8Z5/KSDMjTxBHZzsEmAHyGm64a8ZHZER0c3J9ogRq7pDprEv
         jRz2HovMaptwQlvo2MhpEJSib4TmtY9mDkuu0fcYiLxSItRcP3ZMFi86/ddbWy/LFxcO
         8GIsi3tEhFJYsn7Xv0iT5FQxVm+AtzHxGdX2RFRE9QueQ2lOAeKQQQZ0AKabSvbn0Vus
         PcQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1707854480; x=1708459280;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=n8Ob5pLDX7gbjZcc1HjQU/IWPoeK+dtMTTKUl4+Y8hI=;
        b=ORXRHfQFc7FdD8PMQronUSOiDyNtD8S3c8l/8TjzRLZKJyt3EIz0D1BQ4syS2bNkbq
         Z5ZAlMlLM6Gt2koKSKy+81jjM8/gF+UM4ttHsZkrMlzR1hqYsXgXadzQeIbk2nh2KC+u
         phhC9YQswgvfpRN7qqy8Iak3wUqCpjHilmutPSrQZ6/xeUOmUyitMEgnN7+5qhVWDQAb
         iaJTD+2ECIIR0qNQ+qxkEsREpxwiJ3v4LGtQjb1KAdyJtANnbonSGl3h9AK9vTTGWYWx
         T98GfomINEv/RvZB/oFZfecbVFko4lqRklJQx4ON5/d5XA6YQkSZjjS5p3rBzdeUZtph
         06cA==
X-Gm-Message-State: AOJu0Yzl8Qh3JAUzT15ZnrECwx8wCW24JLFrFNS5V/WXEn/hsGIcw1VL
	94cJVEWcG7U0Nq/66Xwl11maEu+Omy+7Em+DjXn7VCYU/cWVEYcl5LWlvIaw7cANMgxYVwckdc3
	bz73PNjnKxxb9EGKCHEeX0Cwvd5DweyFrm8Y=
X-Google-Smtp-Source: AGHT+IE95VfBofnrC01ej0x+iTfNOC2hTayxwDVQLEZau8Da8yat1RdDIRR1QfEdNPtdRc04Dg4aXnLLcEb0DhOftv8=
X-Received: by 2002:a05:6402:1f49:b0:561:3b53:d0af with SMTP id
 9-20020a0564021f4900b005613b53d0afmr3230264edz.12.1707854480125; Tue, 13 Feb
 2024 12:01:20 -0800 (PST)
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
References: <CAGJwT=845Re0yGrwrdDKMHZt+=cFmLEcbpv5WBDatKt-adehyg@mail.gmail.com>
 <871q9jqphy.fsf@gentoo.org> <0ca8c68f-11e3-4a68-a857-bfd040e6b084@iodoru.org>
In-Reply-To: <0ca8c68f-11e3-4a68-a857-bfd040e6b084@iodoru.org>
From: Daniel Simionato <daniel.simionato@gmail.com>
Date: Tue, 13 Feb 2024 21:01:08 +0100
Message-ID: <CAGJwT=-KRRoCNCmToHGUfT5eeLj1virBGz61jZb=aSDgK_ZBeg@mail.gmail.com>
Subject: Re: [gentoo-dev] RFC: Setting default HOME_MODE in /etc/login.defs
To: gentoo-dev@lists.gentoo.org
Cc: Michael Vetter <jubalh@iodoru.org>
Content-Type: text/plain; charset="UTF-8"
X-Archives-Salt: 108c56ce-0c20-457a-b2f0-426af758335c
X-Archives-Hash: e39686816f7183c850499f52d388829e

Hi,
 the upstream PR was closed, this was the answer:

> No - distros like debian may get caught off guard. There's nothing wrong with downstreams patching their values in their deltas. We do not lightly make changes which change defaults.

https://github.com/shadow-maint/shadow/pull/946#issuecomment-1939667729

Have a nice day,
 Daniel

Il giorno lun 12 feb 2024 alle ore 21:16 Michael Vetter
<jubalh@iodoru.org> ha scritto:
>
> Hello,
>
> In case this mail is weirdly formatted please let me know. And if yes,
> please excuse me in advance..
>
> On 2/11/24 11:10, Sam James wrote:
> > Daniel Simionato <daniel.simionato@gmail.com> writes:
> >
> >> Hello,
> >>   I'd like to start a discussion regarding setting HOME_MODE by default in the /etc/login.defs file (owned by
> >> sys-apps/shadow package).
> >>
> >> Upstream keeps HOME_MODE commented:
> >> https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207
> >>
> >> HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set, they will use the specified permission when
> >> creating a user home directory, otherwise the default UMASK will be used.
> >> Since the default umask is 022, keeping HOME_MODE unset will result in home readable home directories created by useradd,
> >> which goes against security best practices.
> >>
> >> The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH based distros, OpenSuse, ArchLinux all set it
> >> to 0700, Ubuntu has it at 0750. Debian and Gentoo are two exceptions, keeping the upstream value of HOME_MODE (although
> >> login.defs is changed in other ways).
> >>
> >> I previously made a PR on github where you can find more details (https://github.com/gentoo/gentoo/pull/35231), but as
> >> pointed in the comments this probably warrants some discussion beforehand.
> >>
> >> I can understand the argument against the change, which is keeping in sync with upstream and don't risk changing the
> >> historic default behaviour of tools some users might rely upon.
> >>
> >> I do believe though there's merit in providing safer and secure defaults, so I would like HOME_MODE to have a safe
> >> default value for Gentoo and Gentoo based distros.
> > I'm in favour, although I'd be curious as to why upstream shadow don't
> > just set it. It would be interesting to see if the discussion already
> > happened there at some point (surely it has?) and find out their
> > reasoning. (But that's not a blocker for proceeding.)
> >
> > I want to hear more opinions first though. Thanks for raising this,
> > it's been in the back of my head.
>
>
> I 'm in favour as well. And in openSUSE we did this as well.
>
> Honestly I don't remember any upstream discussion about this and have no
> idea what it was done this way.
>
> I see Daniel already created
> https://github.com/shadow-maint/shadow/pull/946 for upstream yesterday.
>
>
> Best,
>
> Michael
>
>