On Sun, 2024-02-11 at 10:06 +0000, Sam James wrote: > Michael Orlitzky <m...@gentoo.org> writes: > > > On Sat, 2024-02-10 at 17:57 +0100, Daniel Simionato wrote: > > > Hello, > > > I'd like to start a discussion regarding setting HOME_MODE by default in > > > the /etc/login.defs file (owned by sys-apps/shadow package). > > > > > > Upstream keeps HOME_MODE commented: > > > https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207 > > > > > > HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set, > > > they will use the specified permission when creating a user home > > > directory, > > > otherwise the default UMASK will be used. > > > Since the default umask is 022, keeping HOME_MODE unset will result in > > > home > > > readable home direct > > > > umask 022 is also egregious, changing it to 027 would kill two birds. > > But in lieu of that, yes. > > mgorny wrote in favour of this 13 years ago too: > https://blogs.gentoo.org/mgorny/2011/10/18/027-umask-a-compromise-between-security-and-simplicity/. > > It would be a bigger change and require us to do a lot of daily-driver > testing first though.
...and I've stopped using that a long time ago too because I kept messing permissions up. These days I just explicitly switch umask if I need something to be secure. -- Best regards, Michał Górny
signature.asc
Description: This is a digitally signed message part
