On Fri, 16 Dec 2022 11:50:18 +0000 debian user <debian.u...@gmail.com> wrote:
Package: login
Version: 1:4.13+dfsg1-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: r...@localhost.lan, Debian Security Team
<t...@security.debian.org>
Dear Maintainer,
please uncomment the line in /etc/login.defs that currently says:
#HOME_MODE 0700
to say:
HOME_MODE 0700
The current settings makes user $HOME directories be created with
permissions where other users can read the contents by default.
I tend to disagree, the default is just fine, all the sensitive
data (eg, .bash_history, .ssh/ etc) is already protected, there's
absolutely nothing wrong if the files in home dirs are accessible
by default, - for example my users complain if they can't show content
of their own files to other users by default. On the other hand,
it is trivial to uncomment the HOME_MODE setting locally if the local
policy is that users should be paranoid against each other. It is
just as easy to set perms of your own home dir at any time, too.
/mjt
