On Fri, Dec 16, 2022 at 04:14:56PM +0300, Michael Tokarev wrote:
> On Fri, 16 Dec 2022 11:50:18 + debian user wrote:
> > Package: login
> > Version: 1:4.13+dfsg1-1
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > X-Debbugs-Cc: r...@localhost.lan, Debian Security Team
> >
> >
> > Dear Maintainer,
> >
> > please uncomment the line in /etc/login.defs that currently says:
> >
> > #HOME_MODE 0700
> >
> > to say:
> >
> > HOME_MODE 0700
> >
> > The current settings makes user $HOME directories be created with
> > permissions where other users can read the contents by default.
>
> I tend to disagree, the default is just fine, all the sensitive
> data (eg, .bash_history, .ssh/ etc) is already protected, there's
> absolutely nothing wrong if the files in home dirs are accessible
> by default, - for example my users complain if they can't show content
> of their own files to other users by default. On the other hand,
> it is trivial to uncomment the HOME_MODE setting locally if the local
> policy is that users should be paranoid against each other. It is
> just as easy to set perms of your own home dir at any time, too.
>
> /mjt
Agreed with mjt. As an example, unprivileged containers cannot be
started if your subuids cannot at least 'x' $HOME. And in all the
systems I set up to share with family/friends I want to encourage
not limit sharing.
-serge