The only previous upstream discussion I was able to find was this on the pkg-shadow-devel: https://marc.info/?l=pkg-shadow-devel&m=167120074926229&w=2( (I don't think the unprivileged container limitation still applies, or at least it doesn't on my user with a 700 /home)
I can see the argument for keeping the status quo, but I still think it's better to err on the side of caution with default settings. But I understand that my point of view might be skewed by personal preference or by professional experience, so I appreciate the everyone contributing their opinion. I have opened a PR upstream to start discussion there https://github.com/shadow-maint/shadow/pull/946 . For reference, the concrete use case that put me onto this ( https://github.com/flatcar/Flatcar/issues/1353): provisioning users in Flatcar through ignition (cloud-init like) at first boot time, even if in the same config /etc/login.defs is changed, results in 755 home directories. Some more comments in this PR https://github.com/kubernetes-sigs/image-builder/pull/1400 The original PR that added HOME_MODE also refers generically to user bug reports due to the many ways umask can be overriden: https://github.com/shadow-maint/shadow/pull/208#issue-546914572 Thanks, Daniel Il giorno dom 11 feb 2024 alle ore 11:53 Eray Aslan <[email protected]> ha scritto: > On Sun, Feb 11, 2024 at 10:10:13AM +0000, Sam James wrote: > > I'm in favour, although I'd be curious as to why upstream shadow don't > > just set it. It would be interesting to see if the discussion already > > happened there at some point (surely it has?) and find out their > > reasoning. (But that's not a blocker for proceeding.) > > I believe it is for historical reasons. Computer networks and terminals > used to be much friendlier places. > > > I want to hear more opinions first though. Thanks for raising this, > > it's been in the back of my head. > > Even though I do not really care either way, what problem exactly are we > trying to solve? Better security is just too vague an argument. I can > see the argument if we were selling to business (*cough*red hat*cough*) > but on the other hand, an argument can also be made for keeping to the > roots of computer networks and their naivete (keep information free and > all that stuff). In this regard, it is telling that only debian and > gentoo keep 022. > > Consider taking it upstream as someone else (ulm?) already mentioned in > the discussion. > > Thanks > -- > Eray > >
