On Fri, Dec 16, 2022 at 04:14:56PM +0300, Michael Tokarev wrote: > On Fri, 16 Dec 2022 11:50:18 +0000 debian user <debian.u...@gmail.com> wrote: > > Package: login > > Version: 1:4.13+dfsg1-1 > > Severity: grave > > Tags: security > > Justification: user security hole > > X-Debbugs-Cc: r...@localhost.lan, Debian Security Team > > <t...@security.debian.org> > > > > Dear Maintainer, > > > > please uncomment the line in /etc/login.defs that currently says: > > > > #HOME_MODE 0700 > > > > to say: > > > > HOME_MODE 0700 > > > > The current settings makes user $HOME directories be created with > > permissions where other users can read the contents by default. > > I tend to disagree, the default is just fine, all the sensitive > data (eg, .bash_history, .ssh/ etc) is already protected, there's > absolutely nothing wrong if the files in home dirs are accessible > by default, - for example my users complain if they can't show content > of their own files to other users by default. On the other hand, > it is trivial to uncomment the HOME_MODE setting locally if the local > policy is that users should be paranoid against each other. It is > just as easy to set perms of your own home dir at any time, too. > > /mjt
Agreed with mjt. As an example, unprivileged containers cannot be started if your subuids cannot at least 'x' $HOME. And in all the systems I set up to share with family/friends I want to encourage not limit sharing. -serge
