Michael Orlitzky <[email protected]> writes: > On Sat, 2024-02-10 at 17:57 +0100, Daniel Simionato wrote: >> Hello, >> I'd like to start a discussion regarding setting HOME_MODE by default in >> the /etc/login.defs file (owned by sys-apps/shadow package). >> >> Upstream keeps HOME_MODE commented: >> https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207 >> >> HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set, >> they will use the specified permission when creating a user home directory, >> otherwise the default UMASK will be used. >> Since the default umask is 022, keeping HOME_MODE unset will result in home >> readable home direct > > umask 022 is also egregious, changing it to 027 would kill two birds. > But in lieu of that, yes.
mgorny wrote in favour of this 13 years ago too: https://blogs.gentoo.org/mgorny/2011/10/18/027-umask-a-compromise-between-security-and-simplicity/. It would be a bigger change and require us to do a lot of daily-driver testing first though.
signature.asc
Description: PGP signature
