From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 24D0715808B for ; Tue, 13 Feb 2024 20:01:26 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2FECCE2A27; Tue, 13 Feb 2024 20:01:22 +0000 (UTC) Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 019CFE2A12 for ; Tue, 13 Feb 2024 20:01:21 +0000 (UTC) Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-561f8b8c058so207326a12.0 for ; Tue, 13 Feb 2024 12:01:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707854480; x=1708459280; darn=lists.gentoo.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=n8Ob5pLDX7gbjZcc1HjQU/IWPoeK+dtMTTKUl4+Y8hI=; b=S+c+/0X1C4HC7kYl3PBZ4IEQmmcMlfiyFahViOxV8IPrd121CSbPVZ6mSpW/sYke4R 6S6QL61hbzQvhqG4dAQkPL9GuIBLPigmnENSIzhkLWU4A3nTyEEpDy7WnxoSvhq9dce5 wtN/SrU21FgYZJbd8oGt8Z5/KSDMjTxBHZzsEmAHyGm64a8ZHZER0c3J9ogRq7pDprEv jRz2HovMaptwQlvo2MhpEJSib4TmtY9mDkuu0fcYiLxSItRcP3ZMFi86/ddbWy/LFxcO 8GIsi3tEhFJYsn7Xv0iT5FQxVm+AtzHxGdX2RFRE9QueQ2lOAeKQQQZ0AKabSvbn0Vus PcQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707854480; x=1708459280; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=n8Ob5pLDX7gbjZcc1HjQU/IWPoeK+dtMTTKUl4+Y8hI=; b=ORXRHfQFc7FdD8PMQronUSOiDyNtD8S3c8l/8TjzRLZKJyt3EIz0D1BQ4syS2bNkbq Z5ZAlMlLM6Gt2koKSKy+81jjM8/gF+UM4ttHsZkrMlzR1hqYsXgXadzQeIbk2nh2KC+u phhC9YQswgvfpRN7qqy8Iak3wUqCpjHilmutPSrQZ6/xeUOmUyitMEgnN7+5qhVWDQAb iaJTD+2ECIIR0qNQ+qxkEsREpxwiJ3v4LGtQjb1KAdyJtANnbonSGl3h9AK9vTTGWYWx T98GfomINEv/RvZB/oFZfecbVFko4lqRklJQx4ON5/d5XA6YQkSZjjS5p3rBzdeUZtph 06cA== X-Gm-Message-State: AOJu0Yzl8Qh3JAUzT15ZnrECwx8wCW24JLFrFNS5V/WXEn/hsGIcw1VL 94cJVEWcG7U0Nq/66Xwl11maEu+Omy+7Em+DjXn7VCYU/cWVEYcl5LWlvIaw7cANMgxYVwckdc3 bz73PNjnKxxb9EGKCHEeX0Cwvd5DweyFrm8Y= X-Google-Smtp-Source: AGHT+IE95VfBofnrC01ej0x+iTfNOC2hTayxwDVQLEZau8Da8yat1RdDIRR1QfEdNPtdRc04Dg4aXnLLcEb0DhOftv8= X-Received: by 2002:a05:6402:1f49:b0:561:3b53:d0af with SMTP id 9-20020a0564021f4900b005613b53d0afmr3230264edz.12.1707854480125; Tue, 13 Feb 2024 12:01:20 -0800 (PST) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: <871q9jqphy.fsf@gentoo.org> <0ca8c68f-11e3-4a68-a857-bfd040e6b084@iodoru.org> In-Reply-To: <0ca8c68f-11e3-4a68-a857-bfd040e6b084@iodoru.org> From: Daniel Simionato Date: Tue, 13 Feb 2024 21:01:08 +0100 Message-ID: Subject: Re: [gentoo-dev] RFC: Setting default HOME_MODE in /etc/login.defs To: gentoo-dev@lists.gentoo.org Cc: Michael Vetter Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: 108c56ce-0c20-457a-b2f0-426af758335c X-Archives-Hash: e39686816f7183c850499f52d388829e Hi, the upstream PR was closed, this was the answer: > No - distros like debian may get caught off guard. There's nothing wrong with downstreams patching their values in their deltas. We do not lightly make changes which change defaults. https://github.com/shadow-maint/shadow/pull/946#issuecomment-1939667729 Have a nice day, Daniel Il giorno lun 12 feb 2024 alle ore 21:16 Michael Vetter ha scritto: > > Hello, > > In case this mail is weirdly formatted please let me know. And if yes, > please excuse me in advance.. > > On 2/11/24 11:10, Sam James wrote: > > Daniel Simionato writes: > > > >> Hello, > >> I'd like to start a discussion regarding setting HOME_MODE by default in the /etc/login.defs file (owned by > >> sys-apps/shadow package). > >> > >> Upstream keeps HOME_MODE commented: > >> https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207 > >> > >> HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set, they will use the specified permission when > >> creating a user home directory, otherwise the default UMASK will be used. > >> Since the default umask is 022, keeping HOME_MODE unset will result in home readable home directories created by useradd, > >> which goes against security best practices. > >> > >> The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH based distros, OpenSuse, ArchLinux all set it > >> to 0700, Ubuntu has it at 0750. Debian and Gentoo are two exceptions, keeping the upstream value of HOME_MODE (although > >> login.defs is changed in other ways). > >> > >> I previously made a PR on github where you can find more details (https://github.com/gentoo/gentoo/pull/35231), but as > >> pointed in the comments this probably warrants some discussion beforehand. > >> > >> I can understand the argument against the change, which is keeping in sync with upstream and don't risk changing the > >> historic default behaviour of tools some users might rely upon. > >> > >> I do believe though there's merit in providing safer and secure defaults, so I would like HOME_MODE to have a safe > >> default value for Gentoo and Gentoo based distros. > > I'm in favour, although I'd be curious as to why upstream shadow don't > > just set it. It would be interesting to see if the discussion already > > happened there at some point (surely it has?) and find out their > > reasoning. (But that's not a blocker for proceeding.) > > > > I want to hear more opinions first though. Thanks for raising this, > > it's been in the back of my head. > > > I 'm in favour as well. And in openSUSE we did this as well. > > Honestly I don't remember any upstream discussion about this and have no > idea what it was done this way. > > I see Daniel already created > https://github.com/shadow-maint/shadow/pull/946 for upstream yesterday. > > > Best, > > Michael > >