Hi, the upstream PR was closed, this was the answer: > No - distros like debian may get caught off guard. There's nothing wrong with > downstreams patching their values in their deltas. We do not lightly make > changes which change defaults.
https://github.com/shadow-maint/shadow/pull/946#issuecomment-1939667729 Have a nice day, Daniel Il giorno lun 12 feb 2024 alle ore 21:16 Michael Vetter <[email protected]> ha scritto: > > Hello, > > In case this mail is weirdly formatted please let me know. And if yes, > please excuse me in advance.. > > On 2/11/24 11:10, Sam James wrote: > > Daniel Simionato <[email protected]> writes: > > > >> Hello, > >> I'd like to start a discussion regarding setting HOME_MODE by default in > >> the /etc/login.defs file (owned by > >> sys-apps/shadow package). > >> > >> Upstream keeps HOME_MODE commented: > >> https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207 > >> > >> HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set, > >> they will use the specified permission when > >> creating a user home directory, otherwise the default UMASK will be used. > >> Since the default umask is 022, keeping HOME_MODE unset will result in > >> home readable home directories created by useradd, > >> which goes against security best practices. > >> > >> The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH > >> based distros, OpenSuse, ArchLinux all set it > >> to 0700, Ubuntu has it at 0750. Debian and Gentoo are two exceptions, > >> keeping the upstream value of HOME_MODE (although > >> login.defs is changed in other ways). > >> > >> I previously made a PR on github where you can find more details > >> (https://github.com/gentoo/gentoo/pull/35231), but as > >> pointed in the comments this probably warrants some discussion beforehand. > >> > >> I can understand the argument against the change, which is keeping in sync > >> with upstream and don't risk changing the > >> historic default behaviour of tools some users might rely upon. > >> > >> I do believe though there's merit in providing safer and secure defaults, > >> so I would like HOME_MODE to have a safe > >> default value for Gentoo and Gentoo based distros. > > I'm in favour, although I'd be curious as to why upstream shadow don't > > just set it. It would be interesting to see if the discussion already > > happened there at some point (surely it has?) and find out their > > reasoning. (But that's not a blocker for proceeding.) > > > > I want to hear more opinions first though. Thanks for raising this, > > it's been in the back of my head. > > > I 'm in favour as well. And in openSUSE we did this as well. > > Honestly I don't remember any upstream discussion about this and have no > idea what it was done this way. > > I see Daniel already created > https://github.com/shadow-maint/shadow/pull/946 for upstream yesterday. > > > Best, > > Michael > >
