-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, 2019-03-02 at 08:15 +0100, Ansgar wrote: > I think this problem (having $HOME world-readable by default) should > really be fixed... In installations sharing $HOME between multiple > users this means private data of all sorts (medical records, unpublished > scientific articles, exam results, ...) can be accessed by /all/ users > by default. This seems a really bad idea. > > Dear security team, should such issues get a CVE id? If one follows the > link from [1], one should contact the Debian security team to assign one > (even though [1] says Debian won't assign one?).
Own opinion on this: I don't think it deserves a CVE but I'd be all for changing the default. In 2019 I'd say most installations are single (human) users but changing uids might be used for isolation between applications for example. Regards, - -- Yves-Alexis -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlx6dSAACgkQ3rYcyPpX RFudXwgAo3kS34+HRKrjxKug4I4SHa72sfw+EnddGD865Xp+C+/2PDRRyWYnFg+F B5x82Mmr4iMkYbfjlZxLURRZkgSzdOu4Cbs99aq9ojhZs4yAHkbWhsZkvV/qb+3G VjmunJe4g9eIuMurTMP08UaxN8+E3kkyhQBDCiz5oQI7lRI0/fh/dgS4iUWwrLJW TOOrIw9ars97N7Ed4/fKeDQbaKKaEC2fbsM5DtNXM0iqP6EpqDE9YoenBOl4Lez+ RDkiV1ueG7ZyWhyrkPZnp9f+8dCNZB3+cqqaPqkN6ZRX1t7aGnxSXi6ue2nx4XAb BIsfmRB1b/rvgkn0u0NiRo9wzozVHA== =Ycaf -----END PGP SIGNATURE-----
