Re: [gentoo-dev] RFC: Setting default HOME_MODE in /etc/login.defs

[Daniel Simionato <daniel.simionato@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 2486 bytes --]

The only previous upstream discussion I was able to find was this on the
pkg-shadow-devel:
https://marc.info/?l=pkg-shadow-devel&m=167120074926229&w=2(
(I don't think the unprivileged container limitation still applies, or at
least it doesn't on my user with a 700 /home)

I can see the argument for keeping the status quo, but I still think it's
better to err on the side of caution with default settings.
But I understand that my point of view might be skewed by personal
preference or by professional experience, so I appreciate the everyone
contributing their opinion.

I have opened a PR upstream to start discussion there
https://github.com/shadow-maint/shadow/pull/946 .

For reference, the concrete use case that put me onto this (
https://github.com/flatcar/Flatcar/issues/1353): provisioning users in
Flatcar through ignition (cloud-init like) at first boot time, even if in
the same config /etc/login.defs is changed, results in 755 home
directories. Some more comments in this PR
https://github.com/kubernetes-sigs/image-builder/pull/1400

The original PR that added HOME_MODE also refers generically to user bug
reports due to the many ways umask can be overriden:
https://github.com/shadow-maint/shadow/pull/208#issue-546914572

Thanks,
 Daniel


Il giorno dom 11 feb 2024 alle ore 11:53 Eray Aslan <eras@gentoo.org> ha
scritto:

> On Sun, Feb 11, 2024 at 10:10:13AM +0000, Sam James wrote:
> > I'm in favour, although I'd be curious as to why upstream shadow don't
> > just set it. It would be interesting to see if the discussion already
> > happened there at some point (surely it has?) and find out their
> > reasoning. (But that's not a blocker for proceeding.)
>
> I believe it is for historical reasons. Computer networks and terminals
> used to be much friendlier places.
>
> > I want to hear more opinions first though. Thanks for raising this,
> > it's been in the back of my head.
>
> Even though I do not really care either way, what problem exactly are we
> trying to solve? Better security is just too vague an argument. I can
> see the argument if we were selling to business (*cough*red hat*cough*)
> but on the other hand, an argument can also be made for keeping to the
> roots of computer networks and their naivete (keep information free and
> all that stuff). In this regard, it is telling that only debian and
> gentoo keep 022.
>
> Consider taking it upstream as someone else (ulm?) already mentioned in
> the discussion.
>
> Thanks
> --
> Eray
>
>

[-- Attachment #2: Type: text/html, Size: 3568 bytes --]