[Pkg-shadow-devel] Bug#1026213: login: $HOME created as 0755 by default
Michael Tokarev
mjt at tls.msk.ru
Fri Dec 16 13:14:56 GMT 2022
On Fri, 16 Dec 2022 11:50:18 +0000 debian user <debian.user at gmail.com> wrote:
> Package: login
> Version: 1:4.13+dfsg1-1
> Severity: grave
> Tags: security
> Justification: user security hole
> X-Debbugs-Cc: root at localhost.lan, Debian Security Team <team at security.debian.org>
>
> Dear Maintainer,
>
> please uncomment the line in /etc/login.defs that currently says:
>
> #HOME_MODE 0700
>
> to say:
>
> HOME_MODE 0700
>
> The current settings makes user $HOME directories be created with
> permissions where other users can read the contents by default.
I tend to disagree, the default is just fine, all the sensitive
data (eg, .bash_history, .ssh/ etc) is already protected, there's
absolutely nothing wrong if the files in home dirs are accessible
by default, - for example my users complain if they can't show content
of their own files to other users by default. On the other hand,
it is trivial to uncomment the HOME_MODE setting locally if the local
policy is that users should be paranoid against each other. It is
just as easy to set perms of your own home dir at any time, too.
/mjt
More information about the Pkg-shadow-devel
mailing list