The only previous upstream discussion I was able to find was this on the pkg-shadow-devel: https://marc.info/?l=pkg-shadow-devel&m=167120074926229&w=2(

(I don't think the unprivileged container limitation still applies, or at least it doesn't on my user with a 700 /home)

I can see the argument for keeping the status quo, but I still think it's better to err on the side of caution with default settings.

But I understand that my point of view might be skewed by personal preference or by professional experience, so I appreciate the everyone contributing their opinion.

I have opened a PR upstream to start discussion there https://github.com/shadow-maint/shadow/pull/946 .

For reference, the concrete use case that put me onto this (https://github.com/flatcar/Flatcar/issues/1353): provisioning users in Flatcar through ignition (cloud-init like) at first boot time, even if in the same config /etc/login.defs is changed, results in 755 home directories. Some more comments in this PR https://github.com/kubernetes-sigs/image-builder/pull/1400

The original PR that added HOME_MODE also refers generically to user bug reports due to the many ways umask can be overriden: https://github.com/shadow-maint/shadow/pull/208#issue-546914572

Thanks,

Daniel

Il giorno dom 11 feb 2024 alle ore 11:53 Eray Aslan <eras@gentoo.org> ha scritto:

On Sun, Feb 11, 2024 at 10:10:13AM +0000, Sam James wrote:
> I'm in favour, although I'd be curious as to why upstream shadow don't
> just set it. It would be interesting to see if the discussion already
> happened there at some point (surely it has?) and find out their
> reasoning. (But that's not a blocker for proceeding.)

I believe it is for historical reasons. Computer networks and terminals
used to be much friendlier places.

> I want to hear more opinions first though. Thanks for raising this,
> it's been in the back of my head.

Even though I do not really care either way, what problem exactly are we
trying to solve? Better security is just too vague an argument. I can
see the argument if we were selling to business (*cough*red hat*cough*)
but on the other hand, an argument can also be made for keeping to the
roots of computer networks and their naivete (keep information free and
all that stuff). In this regard, it is telling that only debian and
gentoo keep 022.

Consider taking it upstream as someone else (ulm?) already mentioned in
the discussion.

Thanks
--
Eray