On Sat, Feb 10, 2024 at 05:57:08PM +0100, Daniel Simionato wrote:

Hello,
I'd like to start a discussion regarding setting HOME_MODE by default in
the /etc/login.defs file (owned by sys-apps/shadow package).

Upstream keeps HOME_MODE commented: https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207

HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set, they will use the specified permission when creating a user home directory, otherwise the default UMASK will be used.
Since the default umask is 022, keeping HOME_MODE unset will result in home readable home directories created by useradd, which goes against security best practices.

The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH based distros, OpenSuse, ArchLinux all set it to 0700, Ubuntu has it at
0750. Debian and Gentoo are two exceptions, keeping the upstream value of HOME_MODE (although login.defs is changed in other ways).

I previously made a PR on github where you can find more details ( https://github.com/gentoo/gentoo/pull/35231), but as pointed in the
comments this probably warrants some discussion beforehand.

I can understand the argument against the change, which is keeping in sync with upstream and don't risk changing the historic default behaviour of
tools some users might rely upon.

I do believe though there's merit in providing safer and secure defaults,
so I would like HOME_MODE to have a safe default value for Gentoo and
Gentoo based distros.

Setting it to 0700 makes good sense to me, unless someone has some
good example of this breaking anything. Deviating from upstream
defaults in following other distributions isn't exactly treading new
ground for us. And it's easy for the administrator to change to suit
their liking anyway (hopefully covering the "keep the status quo"
class of objections).

Have a nice day,
Daniel

-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQQyG9yfCrmO0LPSdG2gXq2+aa/JtQUCZcgMPAAKCRCgXq2+aa/J tVZnAP44cdVONrayq8ovujbdCI7IqwgUpRKAprPC5AekIhyV2AD9Ey5ZfjyEBJiS c7j5ONMW39bblumvKFn3oW4ZQRQuDws=
=7SKw
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 10 Feb 2024 at 23:52, John Helmert III <[email protected]> wrote:

On Sat, Feb 10, 2024 at 05:57:08PM +0100, Daniel Simionato wrote:

Hello,
I'd like to start a discussion regarding setting HOME_MODE by default in the /etc/login.defs file (owned by sys-apps/shadow package).

Upstream keeps HOME_MODE commented: https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207

HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set, they will use the specified permission when creating a user home directory, otherwise the default UMASK will be used.
Since the default umask is 022, keeping HOME_MODE unset will result in home readable home directories created by useradd, which goes against security best practices.

The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH based distros, OpenSuse, ArchLinux all set it to 0700, Ubuntu has it at 0750. Debian and Gentoo are two exceptions, keeping the upstream value of HOME_MODE (although login.defs is changed in other ways).

I previously made a PR on github where you can find more details ( https://github.com/gentoo/gentoo/pull/35231), but as pointed in the comments this probably warrants some discussion beforehand.

I can understand the argument against the change, which is keeping in sync with upstream and don't risk changing the historic default behaviour of tools some users might rely upon.

I do believe though there's merit in providing safer and secure defaults, so I would like HOME_MODE to have a safe default value for Gentoo and Gentoo based distros.

Setting it to 0700 makes good sense to me, unless someone has some
good example of this breaking anything. Deviating from upstream
defaults in following other distributions isn't exactly treading new
ground for us. And it's easy for the administrator to change to suit
their liking anyway (hopefully covering the "keep the status quo"
class of objections).

Have a nice day,
Daniel

0700 should be the default as far as I'm concerned. 750 makes sense in
some environments, but in those environments a sysadmin should know
well enough to make the changes when it is useful. I never understood
why world readable was default on Gentoo.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 11 Feb 2024 at 02:12, Eli Schwartz <[email protected]> wrote: <snip>

- someone who added another account to their user group probably did so
with the expectation that they'd be sharing files with that other
account, and 700 mode in particular feels like going against that

This change of default would only affect creation of new
accounts/setup on new installs so anyone that already has another user
in their group would be unaffected. A notification on change of
default/updated documentation should be sufficient for people looking
to create accounts and give groups access to things in the future.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 10 Feb 2024, Daniel Simionato wrote:

I'd like to start a discussion regarding setting HOME_MODE by default in
the /etc/login.defs file (owned by sys-apps/shadow package).

Upstream keeps HOME_MODE commented: https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207

HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set, they will use the specified permission when creating a user home directory, otherwise the default UMASK will be used.
Since the default umask is 022, keeping HOME_MODE unset will result in home readable home directories created by useradd, which goes against security best practices.

The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH based distros, OpenSuse, ArchLinux all set it to 0700, Ubuntu has it at
0750. Debian and Gentoo are two exceptions, keeping the upstream value of HOME_MODE (although login.defs is changed in other ways).

I previously made a PR on github where you can find more details ( https://github.com/gentoo/gentoo/pull/35231), but as pointed in the
comments this probably warrants some discussion beforehand.

I can understand the argument against the change, which is keeping in sync with upstream and don't risk changing the historic default behaviour of
tools some users might rely upon.

I do believe though there's merit in providing safer and secure defaults,
so I would like HOME_MODE to have a safe default value for Gentoo and
Gentoo based distros.

I see no strong argument either way. However, changing the default is
somewhat intrusive, so I'd prefer staying with upstream. Also, are we
aware of any breakage caused by this?

As you've pointed out yourself, distros are inconsistent about it,
i.e. not much guidance from there. Maybe upstream would be a better
place for this discussion?

Ulrich

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCAAtFiEEtDnZ1O9xIP68rzDbUYgzUIhBXi4FAmXIfrsPHHVsbUBnZW50 b28ub3JnAAoJEFGIM1CIQV4urnAH/AjlKuXXsbMOyOWpr3b5crwi6YoTIBQeCuTY 3iwqR2SkbZwDrPyoqK2lRsV2ln4LV1nFOis5Cd1aHoDb/OrmOqqPaRUthF93qKKl cMgBUzMBFEXto3ECklmQ/5lzh/eDlUVEFQxZBShCa8CnProtwivogVIwGrKfcqOF GpUZVuopbJS/d4yTlhIDIj1flL7AOKFtP3aAZ5yZon57Bq7Z1TAWKN6sdcJHXA65 ZgNVxHjziPy8tCDyNwZieRX2OHnCff/LzJ8tQs7EIUUejJCTMCOHwCjdpABexe1o jlzisZ7J9DPwJiKPXwBLJ/GjLwqpW66YX2bR6eh5Ipoo9qPMF1I=
=uL8s
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Daniel Simionato <[email protected]> writes:

Hello,
I'd like to start a discussion regarding setting HOME_MODE by default in the /etc/login.defs file (owned by
sys-apps/shadow package).

Upstream keeps HOME_MODE commented: https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207

HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set, they will use the specified permission when
creating a user home directory, otherwise the default UMASK will be used. Since the default umask is 022, keeping HOME_MODE unset will result in home readable home directories created by useradd,
which goes against security best practices.

The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH based distros, OpenSuse, ArchLinux all set it
to 0700, Ubuntu has it at 0750. Debian and Gentoo are two exceptions, keeping the upstream value of HOME_MODE (although
login.defs is changed in other ways).

I previously made a PR on github where you can find more details (https://github.com/gentoo/gentoo/pull/35231), but as
pointed in the comments this probably warrants some discussion beforehand.

I can understand the argument against the change, which is keeping in sync with upstream and don't risk changing the
historic default behaviour of tools some users might rely upon.

I do believe though there's merit in providing safer and secure defaults, so I would like HOME_MODE to have a safe
default value for Gentoo and Gentoo based distros.

I'm in favour, although I'd be curious as to why upstream shadow don't
just set it. It would be interesting to see if the discussion already
happened there at some point (surely it has?) and find out their
reasoning. (But that's not a blocker for proceeding.)

I want to hear more opinions first though. Thanks for raising this,
it's been in the back of my head.

Have a nice day,
Daniel

best,
sam

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iOUEARYKAI0WIQQlpruI3Zt2TGtVQcJzhAn1IN+RkAUCZcidaV8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MjVB NkJCODhERDlCNzY0QzZCNTU0MUMyNzM4NDA5RjUyMERGOTE5MA8cc2FtQGdlbnRv by5vcmcACgkQc4QJ9SDfkZB3LAEAuKX597HDie1aZLFvNG5pN3aCN0QpJ56qDXtG zBgCb+ABAKgGgxovPPOB9Q/Zh/08SNCKkKFK0lZ1aDRxxaoz+9MH
=G7E8
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Michael Orlitzky <[email protected]> writes:

On Sat, 2024-02-10 at 17:57 +0100, Daniel Simionato wrote:

Hello,
I'd like to start a discussion regarding setting HOME_MODE by default in
the /etc/login.defs file (owned by sys-apps/shadow package).

Upstream keeps HOME_MODE commented:
https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207

HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set,
they will use the specified permission when creating a user home directory, >> otherwise the default UMASK will be used.
Since the default umask is 022, keeping HOME_MODE unset will result in home >> readable home direct

umask 022 is also egregious, changing it to 027 would kill two birds.
But in lieu of that, yes.

mgorny wrote in favour of this 13 years ago too: https://blogs.gentoo.org/mgorny/2011/10/18/027-umask-a-compromise-between-security-and-simplicity/.

It would be a bigger change and require us to do a lot of daily-driver
testing first though.

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iOUEARYKAI0WIQQlpruI3Zt2TGtVQcJzhAn1IN+RkAUCZcic/F8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MjVB NkJCODhERDlCNzY0QzZCNTU0MUMyNzM4NDA5RjUyMERGOTE5MA8cc2FtQGdlbnRv by5vcmcACgkQc4QJ9SDfkZAGCAEA5GJbnLk+JAcUElrpO1K9e1l5cDXfo5/J4X+Z IsbKOKwA+wdOtHkhXfSGmNvCfw2onxuDh/a8kK6FnieA8/6uMzQA
=OUKe
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Feb 11, 2024 at 10:10:13AM +0000, Sam James wrote:

I'm in favour, although I'd be curious as to why upstream shadow don't
just set it. It would be interesting to see if the discussion already happened there at some point (surely it has?) and find out their
reasoning. (But that's not a blocker for proceeding.)

I believe it is for historical reasons. Computer networks and terminals
used to be much friendlier places.

I want to hear more opinions first though. Thanks for raising this,
it's been in the back of my head.

Even though I do not really care either way, what problem exactly are we
trying to solve? Better security is just too vague an argument. I can
see the argument if we were selling to business (*cough*red hat*cough*)
but on the other hand, an argument can also be made for keeping to the
roots of computer networks and their naivete (keep information free and
all that stuff). In this regard, it is telling that only debian and
gentoo keep 022.

Consider taking it upstream as someone else (ulm?) already mentioned in
the discussion.

Thanks
--
Eray

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 2024-02-11 at 10:06 +0000, Sam James wrote:

Michael Orlitzky <[email protected]> writes:

On Sat, 2024-02-10 at 17:57 +0100, Daniel Simionato wrote:

Hello,
I'd like to start a discussion regarding setting HOME_MODE by default in the /etc/login.defs file (owned by sys-apps/shadow package).

Upstream keeps HOME_MODE commented: https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207

HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set, they will use the specified permission when creating a user home directory,
otherwise the default UMASK will be used.
Since the default umask is 022, keeping HOME_MODE unset will result in home
readable home direct

umask 022 is also egregious, changing it to 027 would kill two birds.
But in lieu of that, yes.

mgorny wrote in favour of this 13 years ago too: https://blogs.gentoo.org/mgorny/2011/10/18/027-umask-a-compromise-between-security-and-simplicity/.

It would be a bigger change and require us to do a lot of daily-driver testing first though.

...and I've stopped using that a long time ago too because I kept
messing permissions up. These days I just explicitly switch umask if I
need something to be secure.

--
Best regards,
Michał Górny


-----BEGIN PGP SIGNATURE-----

iQFGBAABCgAwFiEEx2qEUJQJjSjMiybFY5ra4jKeJA4FAmXIxssSHG1nb3JueUBn ZW50b28ub3JnAAoJEGOa2uIyniQOxX4H+QGqW+5MvW5ZlY63tkoo9I/4NgeLRTB1 DTZi8XzzZnroQWaXGlc4RE833/tjBoSf3/hix/8BVIaJLwEzKEgzpNwyLaXOECB/ kaxRFmsDdNwQZ58dcUtrrOpopW5PKHmZJUyIqih6SS1X39ZJ1ZnjzDdKTuvs7GvL LdJ0gSLIIvX4IEeYSLyhJ6TJIf5FHiILxmk4rPeXLVGGw4mbod2jOLtGGoUyJbY4 +7ItRTX0Z8NnVgSFYyTEPWnQ9xfcWCjJ2EqhHs0dVxIfnHWxlQF4ozrBO52YWTg1 8sslYjcMzQKJn1rOBwtwOviXVVQrZ5g+FUrAqfrz8xDKulca+MKNc9A=
=vTRG
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Daniel Simionato <[email protected]> writes:

Hello,
I'd like to start a discussion regarding setting HOME_MODE by default in
the /etc/login.defs file (owned by sys-apps/shadow package).

Upstream keeps HOME_MODE commented: https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207

HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set, they will use the specified permission when creating a user home directory, otherwise the default UMASK will be used.
Since the default umask is 022, keeping HOME_MODE unset will result in home readable home directories created by useradd, which goes against security best practices.

The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH based distros, OpenSuse, ArchLinux all set it to 0700, Ubuntu has it at
0750. Debian and Gentoo are two exceptions, keeping the upstream value of HOME_MODE (although login.defs is changed in other ways).

I previously made a PR on github where you can find more details ( https://github.com/gentoo/gentoo/pull/35231), but as pointed in the
comments this probably warrants some discussion beforehand.

I can understand the argument against the change, which is keeping in sync with upstream and don't risk changing the historic default behaviour of
tools some users might rely upon.

I do believe though there's merit in providing safer and secure defaults,
so I would like HOME_MODE to have a safe default value for Gentoo and
Gentoo based distros.

Have a nice day,
Daniel

+1 for 0700. I also like the umask suggestions.
--
Arsen Arsenović

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iOcEARYKAI8WIQT+4rPRE/wAoxYtYGFSwpQwHqLEkwUCZcjNyV8UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0RkVF MkIzRDExM0ZDMDBBMzE2MkQ2MDYxNTJDMjk0MzAxRUEyQzQ5MxEcYXJzZW5AZ2Vu dG9vLm9yZwAKCRBSwpQwHqLEkzfEAQC9gHnBTDr+J2y20l2Ebf5DMydF2onTrQbo Kry8070UbwEAlvruQSnKHc80y2WDWD4cohR41HZnnEm+VZNDu9ICeAM=wWC9
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)