Mailing List Archive

On Sat, Feb 10, 2024 at 05:57:08PM +0100, Daniel Simionato wrote:
> Hello,
> I'd like to start a discussion regarding setting HOME_MODE by default in
> the /etc/login.defs file (owned by sys-apps/shadow package).
>
> Upstream keeps HOME_MODE commented:
> https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207
>
> HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set,
> they will use the specified permission when creating a user home directory,
> otherwise the default UMASK will be used.
> Since the default umask is 022, keeping HOME_MODE unset will result in home
> readable home directories created by useradd, which goes against security
> best practices.
>
> The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH
> based distros, OpenSuse, ArchLinux all set it to 0700, Ubuntu has it at
> 0750. Debian and Gentoo are two exceptions, keeping the upstream value of
> HOME_MODE (although login.defs is changed in other ways).
>
> I previously made a PR on github where you can find more details (
> https://github.com/gentoo/gentoo/pull/35231), but as pointed in the
> comments this probably warrants some discussion beforehand.
>
> I can understand the argument against the change, which is keeping in sync
> with upstream and don't risk changing the historic default behaviour of
> tools some users might rely upon.
>
> I do believe though there's merit in providing safer and secure defaults,
> so I would like HOME_MODE to have a safe default value for Gentoo and
> Gentoo based distros.

Setting it to 0700 makes good sense to me, unless someone has some
good example of this breaking anything. Deviating from upstream
defaults in following other distributions isn't exactly treading new
ground for us. And it's easy for the administrator to change to suit
their liking anyway (hopefully covering the "keep the status quo"
class of objections).

> Have a nice day,
> Daniel

On Sat, 10 Feb 2024 at 23:52, John Helmert III <ajak@gentoo.org> wrote:
>
> On Sat, Feb 10, 2024 at 05:57:08PM +0100, Daniel Simionato wrote:
> > Hello,
> > I'd like to start a discussion regarding setting HOME_MODE by default in
> > the /etc/login.defs file (owned by sys-apps/shadow package).
> >
> > Upstream keeps HOME_MODE commented:
> > https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207
> >
> > HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set,
> > they will use the specified permission when creating a user home directory,
> > otherwise the default UMASK will be used.
> > Since the default umask is 022, keeping HOME_MODE unset will result in home
> > readable home directories created by useradd, which goes against security
> > best practices.
> >
> > The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH
> > based distros, OpenSuse, ArchLinux all set it to 0700, Ubuntu has it at
> > 0750. Debian and Gentoo are two exceptions, keeping the upstream value of
> > HOME_MODE (although login.defs is changed in other ways).
> >
> > I previously made a PR on github where you can find more details (
> > https://github.com/gentoo/gentoo/pull/35231), but as pointed in the
> > comments this probably warrants some discussion beforehand.
> >
> > I can understand the argument against the change, which is keeping in sync
> > with upstream and don't risk changing the historic default behaviour of
> > tools some users might rely upon.
> >
> > I do believe though there's merit in providing safer and secure defaults,
> > so I would like HOME_MODE to have a safe default value for Gentoo and
> > Gentoo based distros.
>
> Setting it to 0700 makes good sense to me, unless someone has some
> good example of this breaking anything. Deviating from upstream
> defaults in following other distributions isn't exactly treading new
> ground for us. And it's easy for the administrator to change to suit
> their liking anyway (hopefully covering the "keep the status quo"
> class of objections).
>
> > Have a nice day,
> > Daniel

0700 should be the default as far as I'm concerned. 750 makes sense in
some environments, but in those environments a sysadmin should know
well enough to make the changes when it is useful. I never understood
why world readable was default on Gentoo.

On Sat, 2024-02-10 at 17:57 +0100, Daniel Simionato wrote:
> Hello,
> I'd like to start a discussion regarding setting HOME_MODE by default in
> the /etc/login.defs file (owned by sys-apps/shadow package).
>
> Upstream keeps HOME_MODE commented:
> https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207
>
> HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set,
> they will use the specified permission when creating a user home directory,
> otherwise the default UMASK will be used.
> Since the default umask is 022, keeping HOME_MODE unset will result in home
> readable home direct

umask 022 is also egregious, changing it to 027 would kill two birds.
But in lieu of that, yes.

On 2/10/24 11:57 AM, Daniel Simionato wrote:
> Hello,
> I'd like to start a discussion regarding setting HOME_MODE by default in
> the /etc/login.defs file (owned by sys-apps/shadow package).
>
> Upstream keeps HOME_MODE commented:
> https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207
>
> HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set,
> they will use the specified permission when creating a user home directory,
> otherwise the default UMASK will be used.
> Since the default umask is 022, keeping HOME_MODE unset will result in home
> readable home directories created by useradd, which goes against security
> best practices.
>
> The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH
> based distros, OpenSuse, ArchLinux all set it to 0700, Ubuntu has it at
> 0750. Debian and Gentoo are two exceptions, keeping the upstream value of
> HOME_MODE (although login.defs is changed in other ways).
>
> I previously made a PR on github where you can find more details (
> https://github.com/gentoo/gentoo/pull/35231), but as pointed in the
> comments this probably warrants some discussion beforehand.
>
> I can understand the argument against the change, which is keeping in sync
> with upstream and don't risk changing the historic default behaviour of
> tools some users might rely upon.


As a config file, I think we can feel fine changing the defaults without
worrying about diverging from upstream, and sticking to worrying "is
this a good config value for us".

As far as the actual change goes...

Arguments in favor of keeping the existing default:

- "someone might be relying on it"
- security-sensitive software often sets a heavily restricted value for
this purpose already, e.g. ssh / gnupg
- sometimes it is necessary for other users to see your files, classic
example being ~/public_html


Arguments in favor of changing the default:

- managing files that should be private by changing their permissions is
tiresome, and not all private files are managed by "security-sensitive
software". If you're writing the next Great American Novel in
libreoffice on a shared user system, did you *know* you'd need to
protect it from your arch-enemy who hopes to read your homedir and
sell your novel instead of you?
- You can manage ~/public_html by using setfacl to give apache read
access to your entire home directory without granting it to everyone.
You're still vulnerable to complete information leakage of your home
directory to the apache user, but not also to the aforementioned
arch-enemy


Regarding which default to change to:

- someone who added another account to their user group probably did so
with the expectation that they'd be sharing files with that other
account, and 700 mode in particular feels like going against that


> I do believe though there's merit in providing safer and secure defaults,
> so I would like HOME_MODE to have a safe default value for Gentoo and
> Gentoo based distros.
>
> Have a nice day,
> Daniel
>

--
Eli Schwartz

On Sun, 11 Feb 2024 at 02:12, Eli Schwartz <eschwartz93@gmail.com> wrote:
<snip>
> - someone who added another account to their user group probably did so
> with the expectation that they'd be sharing files with that other
> account, and 700 mode in particular feels like going against that

This change of default would only affect creation of new
accounts/setup on new installs so anyone that already has another user
in their group would be unaffected. A notification on change of
default/updated documentation should be sufficient for people looking
to create accounts and give groups access to things in the future.

>>>>> On Sat, 10 Feb 2024, Daniel Simionato wrote:

> I'd like to start a discussion regarding setting HOME_MODE by default in
> the /etc/login.defs file (owned by sys-apps/shadow package).

> Upstream keeps HOME_MODE commented:
> https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207

> HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set,
> they will use the specified permission when creating a user home directory,
> otherwise the default UMASK will be used.
> Since the default umask is 022, keeping HOME_MODE unset will result in home
> readable home directories created by useradd, which goes against security
> best practices.

> The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH
> based distros, OpenSuse, ArchLinux all set it to 0700, Ubuntu has it at
> 0750. Debian and Gentoo are two exceptions, keeping the upstream value of
> HOME_MODE (although login.defs is changed in other ways).

> I previously made a PR on github where you can find more details (
> https://github.com/gentoo/gentoo/pull/35231), but as pointed in the
> comments this probably warrants some discussion beforehand.

> I can understand the argument against the change, which is keeping in sync
> with upstream and don't risk changing the historic default behaviour of
> tools some users might rely upon.

> I do believe though there's merit in providing safer and secure defaults,
> so I would like HOME_MODE to have a safe default value for Gentoo and
> Gentoo based distros.

I see no strong argument either way. However, changing the default is
somewhat intrusive, so I'd prefer staying with upstream. Also, are we
aware of any breakage caused by this?

As you've pointed out yourself, distros are inconsistent about it,
i.e. not much guidance from there. Maybe upstream would be a better
place for this discussion?

Ulrich

On Sun, 2024-02-11 at 09:00 +0100, Ulrich Mueller wrote:
> > > > > > On Sat, 10 Feb 2024, Daniel Simionato wrote:
>
> >  I'd like to start a discussion regarding setting HOME_MODE by default in
> > the /etc/login.defs file (owned by sys-apps/shadow package).
>
> > Upstream keeps HOME_MODE commented:
> > https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207
>
> > HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set,
> > they will use the specified permission when creating a user home directory,
> > otherwise the default UMASK will be used.
> > Since the default umask is 022, keeping HOME_MODE unset will result in home
> > readable home directories created by useradd, which goes against security
> > best practices.
>
> > The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH
> > based distros, OpenSuse, ArchLinux all set it to 0700, Ubuntu has it at
> > 0750. Debian and Gentoo are two exceptions, keeping the upstream value of
> > HOME_MODE (although login.defs is changed in other ways).
>
> > I previously made a PR on github where you can find more details (
> > https://github.com/gentoo/gentoo/pull/35231), but as pointed in the
> > comments this probably warrants some discussion beforehand.
>
> > I can understand the argument against the change, which is keeping in sync
> > with upstream and don't risk changing the historic default behaviour of
> > tools some users might rely upon.
>
> > I do believe though there's merit in providing safer and secure defaults,
> > so I would like HOME_MODE to have a safe default value for Gentoo and
> > Gentoo based distros.
>
> I see no strong argument either way. However, changing the default is
> somewhat intrusive, so I'd prefer staying with upstream. Also, are we
> aware of any breakage caused by this?
>
> As you've pointed out yourself, distros are inconsistent about it,
> i.e. not much guidance from there. Maybe upstream would be a better
> place for this discussion?
>
> Ulrich

You may need 0701 if you have a web server reading from ~/public_html, but
that's uncommon. I've been using this for years without issue, but I think
0700 makes the most sense as the default.

Michael Orlitzky <mjo@gentoo.org> writes:

> On Sat, 2024-02-10 at 17:57 +0100, Daniel Simionato wrote:
>> Hello,
>> I'd like to start a discussion regarding setting HOME_MODE by default in
>> the /etc/login.defs file (owned by sys-apps/shadow package).
>>
>> Upstream keeps HOME_MODE commented:
>> https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207
>>
>> HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set,
>> they will use the specified permission when creating a user home directory,
>> otherwise the default UMASK will be used.
>> Since the default umask is 022, keeping HOME_MODE unset will result in home
>> readable home direct
>
> umask 022 is also egregious, changing it to 027 would kill two birds.
> But in lieu of that, yes.

mgorny wrote in favour of this 13 years ago too:
https://blogs.gentoo.org/mgorny/2011/10/18/027-umask-a-compromise-between-security-and-simplicity/.

It would be a bigger change and require us to do a lot of daily-driver
testing first though.

Daniel Simionato <daniel.simionato@gmail.com> writes:

> Hello,
> I'd like to start a discussion regarding setting HOME_MODE by default in the /etc/login.defs file (owned by
> sys-apps/shadow package).
>
> Upstream keeps HOME_MODE commented:
> https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207
>
> HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set, they will use the specified permission when
> creating a user home directory, otherwise the default UMASK will be used.
> Since the default umask is 022, keeping HOME_MODE unset will result in home readable home directories created by useradd,
> which goes against security best practices.
>
> The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH based distros, OpenSuse, ArchLinux all set it
> to 0700, Ubuntu has it at 0750. Debian and Gentoo are two exceptions, keeping the upstream value of HOME_MODE (although
> login.defs is changed in other ways).
>
> I previously made a PR on github where you can find more details (https://github.com/gentoo/gentoo/pull/35231), but as
> pointed in the comments this probably warrants some discussion beforehand.
>
> I can understand the argument against the change, which is keeping in sync with upstream and don't risk changing the
> historic default behaviour of tools some users might rely upon.
>
> I do believe though there's merit in providing safer and secure defaults, so I would like HOME_MODE to have a safe
> default value for Gentoo and Gentoo based distros.

I'm in favour, although I'd be curious as to why upstream shadow don't
just set it. It would be interesting to see if the discussion already
happened there at some point (surely it has?) and find out their
reasoning. (But that's not a blocker for proceeding.)

I want to hear more opinions first though. Thanks for raising this,
it's been in the back of my head.

>
> Have a nice day,
> Daniel

best,
sam

On Sun, Feb 11, 2024 at 10:10:13AM +0000, Sam James wrote:
> I'm in favour, although I'd be curious as to why upstream shadow don't
> just set it. It would be interesting to see if the discussion already
> happened there at some point (surely it has?) and find out their
> reasoning. (But that's not a blocker for proceeding.)

I believe it is for historical reasons. Computer networks and terminals
used to be much friendlier places.

> I want to hear more opinions first though. Thanks for raising this,
> it's been in the back of my head.

Even though I do not really care either way, what problem exactly are we
trying to solve? Better security is just too vague an argument. I can
see the argument if we were selling to business (*cough*red hat*cough*)
but on the other hand, an argument can also be made for keeping to the
roots of computer networks and their naivete (keep information free and
all that stuff). In this regard, it is telling that only debian and
gentoo keep 022.

Consider taking it upstream as someone else (ulm?) already mentioned in
the discussion.

Thanks
--
Eray

The only previous upstream discussion I was able to find was this on the
pkg-shadow-devel:
https://marc.info/?l=pkg-shadow-devel&m=167120074926229&w=2(
(I don't think the unprivileged container limitation still applies, or at
least it doesn't on my user with a 700 /home)

I can see the argument for keeping the status quo, but I still think it's
better to err on the side of caution with default settings.
But I understand that my point of view might be skewed by personal
preference or by professional experience, so I appreciate the everyone
contributing their opinion.

I have opened a PR upstream to start discussion there
https://github.com/shadow-maint/shadow/pull/946 .

For reference, the concrete use case that put me onto this (
https://github.com/flatcar/Flatcar/issues/1353): provisioning users in
Flatcar through ignition (cloud-init like) at first boot time, even if in
the same config /etc/login.defs is changed, results in 755 home
directories. Some more comments in this PR
https://github.com/kubernetes-sigs/image-builder/pull/1400

The original PR that added HOME_MODE also refers generically to user bug
reports due to the many ways umask can be overriden:
https://github.com/shadow-maint/shadow/pull/208#issue-546914572

Thanks,
Daniel


Il giorno dom 11 feb 2024 alle ore 11:53 Eray Aslan <eras@gentoo.org> ha
scritto:

> On Sun, Feb 11, 2024 at 10:10:13AM +0000, Sam James wrote:
> > I'm in favour, although I'd be curious as to why upstream shadow don't
> > just set it. It would be interesting to see if the discussion already
> > happened there at some point (surely it has?) and find out their
> > reasoning. (But that's not a blocker for proceeding.)
>
> I believe it is for historical reasons. Computer networks and terminals
> used to be much friendlier places.
>
> > I want to hear more opinions first though. Thanks for raising this,
> > it's been in the back of my head.
>
> Even though I do not really care either way, what problem exactly are we
> trying to solve? Better security is just too vague an argument. I can
> see the argument if we were selling to business (*cough*red hat*cough*)
> but on the other hand, an argument can also be made for keeping to the
> roots of computer networks and their naivete (keep information free and
> all that stuff). In this regard, it is telling that only debian and
> gentoo keep 022.
>
> Consider taking it upstream as someone else (ulm?) already mentioned in
> the discussion.
>
> Thanks
> --
> Eray
>
>

On Sun, 2024-02-11 at 10:06 +0000, Sam James wrote:
> Michael Orlitzky <mjo@gentoo.org> writes:
>
> > On Sat, 2024-02-10 at 17:57 +0100, Daniel Simionato wrote:
> > > Hello,
> > > I'd like to start a discussion regarding setting HOME_MODE by default in
> > > the /etc/login.defs file (owned by sys-apps/shadow package).
> > >
> > > Upstream keeps HOME_MODE commented:
> > > https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207
> > >
> > > HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set,
> > > they will use the specified permission when creating a user home directory,
> > > otherwise the default UMASK will be used.
> > > Since the default umask is 022, keeping HOME_MODE unset will result in home
> > > readable home direct
> >
> > umask 022 is also egregious, changing it to 027 would kill two birds.
> > But in lieu of that, yes.
>
> mgorny wrote in favour of this 13 years ago too:
> https://blogs.gentoo.org/mgorny/2011/10/18/027-umask-a-compromise-between-security-and-simplicity/.
>
> It would be a bigger change and require us to do a lot of daily-driver
> testing first though.

...and I've stopped using that a long time ago too because I kept
messing permissions up. These days I just explicitly switch umask if I
need something to be secure.

--
Best regards,
Micha? Górny

Daniel Simionato <daniel.simionato@gmail.com> writes:

> Hello,
> I'd like to start a discussion regarding setting HOME_MODE by default in
> the /etc/login.defs file (owned by sys-apps/shadow package).
>
> Upstream keeps HOME_MODE commented:
> https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207
>
> HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set,
> they will use the specified permission when creating a user home directory,
> otherwise the default UMASK will be used.
> Since the default umask is 022, keeping HOME_MODE unset will result in home
> readable home directories created by useradd, which goes against security
> best practices.
>
> The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH
> based distros, OpenSuse, ArchLinux all set it to 0700, Ubuntu has it at
> 0750. Debian and Gentoo are two exceptions, keeping the upstream value of
> HOME_MODE (although login.defs is changed in other ways).
>
> I previously made a PR on github where you can find more details (
> https://github.com/gentoo/gentoo/pull/35231), but as pointed in the
> comments this probably warrants some discussion beforehand.
>
> I can understand the argument against the change, which is keeping in sync
> with upstream and don't risk changing the historic default behaviour of
> tools some users might rely upon.
>
> I do believe though there's merit in providing safer and secure defaults,
> so I would like HOME_MODE to have a safe default value for Gentoo and
> Gentoo based distros.
>
> Have a nice day,
> Daniel

+1 for 0700. I also like the umask suggestions.
--
Arsen Arsenovi?

Hi,
the upstream PR was closed, this was the answer:

> No - distros like debian may get caught off guard. There's nothing wrong with downstreams patching their values in their deltas. We do not lightly make changes which change defaults.

https://github.com/shadow-maint/shadow/pull/946#issuecomment-1939667729

Have a nice day,
Daniel

Il giorno lun 12 feb 2024 alle ore 21:16 Michael Vetter
<jubalh@iodoru.org> ha scritto:
>
> Hello,
>
> In case this mail is weirdly formatted please let me know. And if yes,
> please excuse me in advance..
>
> On 2/11/24 11:10, Sam James wrote:
> > Daniel Simionato <daniel.simionato@gmail.com> writes:
> >
> >> Hello,
> >> I'd like to start a discussion regarding setting HOME_MODE by default in the /etc/login.defs file (owned by
> >> sys-apps/shadow package).
> >>
> >> Upstream keeps HOME_MODE commented:
> >> https://github.com/shadow-maint/shadow/blob/3e59e9613ec40c51c19c7bb5c28468e33a4529d5/etc/login.defs#L207
> >>
> >> HOME_MODE affects only useradd and newuser commands: if HOME_MODE is set, they will use the specified permission when
> >> creating a user home directory, otherwise the default UMASK will be used.
> >> Since the default umask is 022, keeping HOME_MODE unset will result in home readable home directories created by useradd,
> >> which goes against security best practices.
> >>
> >> The proposal is to set HOME_MODE to 0700, or at least 0750: RedHat and RH based distros, OpenSuse, ArchLinux all set it
> >> to 0700, Ubuntu has it at 0750. Debian and Gentoo are two exceptions, keeping the upstream value of HOME_MODE (although
> >> login.defs is changed in other ways).
> >>
> >> I previously made a PR on github where you can find more details (https://github.com/gentoo/gentoo/pull/35231), but as
> >> pointed in the comments this probably warrants some discussion beforehand.
> >>
> >> I can understand the argument against the change, which is keeping in sync with upstream and don't risk changing the
> >> historic default behaviour of tools some users might rely upon.
> >>
> >> I do believe though there's merit in providing safer and secure defaults, so I would like HOME_MODE to have a safe
> >> default value for Gentoo and Gentoo based distros.
> > I'm in favour, although I'd be curious as to why upstream shadow don't
> > just set it. It would be interesting to see if the discussion already
> > happened there at some point (surely it has?) and find out their
> > reasoning. (But that's not a blocker for proceeding.)
> >
> > I want to hear more opinions first though. Thanks for raising this,
> > it's been in the back of my head.
>
>
> I 'm in favour as well. And in openSUSE we did this as well.
>
> Honestly I don't remember any upstream discussion about this and have no
> idea what it was done this way.
>
> I see Daniel already created
> https://github.com/shadow-maint/shadow/pull/946 for upstream yesterday.
>
>
> Best,
>
> Michael
>
>