From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 51C5215815E for ; Sun, 11 Feb 2024 08:01:15 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 31D2BE2AD5; Sun, 11 Feb 2024 08:01:10 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E5A81E2AD2 for ; Sun, 11 Feb 2024 08:01:09 +0000 (UTC) From: Ulrich Mueller To: Daniel Simionato Cc: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] RFC: Setting default HOME_MODE in /etc/login.defs In-Reply-To: (Daniel Simionato's message of "Sat, 10 Feb 2024 17:57:08 +0100") References: Date: Sun, 11 Feb 2024 09:00:59 +0100 Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Archives-Salt: ed184a68-eb60-4d40-aad6-ba552d9a9c87 X-Archives-Hash: 38f56b0c171b3630162cdaf9d9468cd3 --=-=-= Content-Type: text/plain >>>>> On Sat, 10 Feb 2024, Daniel Simionato wrote: > I'd like to start a discussion regarding setting HOME_MODE by default in > the /etc/login.defs file (owned by sys-apps/shadow package). > Upstream keeps HOME_MODE commented: > https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207 > HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set, > they will use the specified permission when creating a user home directory, > otherwise the default UMASK will be used. > Since the default umask is 022, keeping HOME_MODE unset will result in home > readable home directories created by useradd, which goes against security > best practices. > The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH > based distros, OpenSuse, ArchLinux all set it to 0700, Ubuntu has it at > 0750. Debian and Gentoo are two exceptions, keeping the upstream value of > HOME_MODE (although login.defs is changed in other ways). > I previously made a PR on github where you can find more details ( > https://github.com/gentoo/gentoo/pull/35231), but as pointed in the > comments this probably warrants some discussion beforehand. > I can understand the argument against the change, which is keeping in sync > with upstream and don't risk changing the historic default behaviour of > tools some users might rely upon. > I do believe though there's merit in providing safer and secure defaults, > so I would like HOME_MODE to have a safe default value for Gentoo and > Gentoo based distros. I see no strong argument either way. However, changing the default is somewhat intrusive, so I'd prefer staying with upstream. Also, are we aware of any breakage caused by this? As you've pointed out yourself, distros are inconsistent about it, i.e. not much guidance from there. Maybe upstream would be a better place for this discussion? Ulrich --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFDBAEBCAAtFiEEtDnZ1O9xIP68rzDbUYgzUIhBXi4FAmXIfrsPHHVsbUBnZW50 b28ub3JnAAoJEFGIM1CIQV4urnAH/AjlKuXXsbMOyOWpr3b5crwi6YoTIBQeCuTY 3iwqR2SkbZwDrPyoqK2lRsV2ln4LV1nFOis5Cd1aHoDb/OrmOqqPaRUthF93qKKl cMgBUzMBFEXto3ECklmQ/5lzh/eDlUVEFQxZBShCa8CnProtwivogVIwGrKfcqOF GpUZVuopbJS/d4yTlhIDIj1flL7AOKFtP3aAZ5yZon57Bq7Z1TAWKN6sdcJHXA65 ZgNVxHjziPy8tCDyNwZieRX2OHnCff/LzJ8tQs7EIUUejJCTMCOHwCjdpABexe1o jlzisZ7J9DPwJiKPXwBLJ/GjLwqpW66YX2bR6eh5Ipoo9qPMF1I= =uL8s -----END PGP SIGNATURE----- --=-=-=--