Your message dated Fri, 13 Jan 2023 22:04:15 +0100
with message-id <20230113210415.mfdcle5dyjaqm...@fatal.se>
and subject line Re: login: $HOME created as 0755 by default
has caused the Debian Bug report #1026213,
regarding login: $HOME created as 0755 by default
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1026213: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026213
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: login
Version: 1:4.13+dfsg1-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: r...@localhost.lan, Debian Security Team
<t...@security.debian.org>
Dear Maintainer,
please uncomment the line in /etc/login.defs that currently says:
#HOME_MODE 0700
to say:
HOME_MODE 0700
The current settings makes user $HOME directories be created with
permissions where other users can read the contents by default.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-19-amd64 (SMP w/4 CPU threads)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect
Versions of packages login depends on:
ii libaudit1 1:3.0.7-1.1+b2
ii libc6 2.36-6
ii libcrypt1 1:4.4.33-1
ii libpam-modules 1.5.2-5
ii libpam-runtime 1.5.2-5
ii libpam0g 1.5.2-5
login recommends no packages.
login suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Hello,
Given there already seems to be common consensus that this is not a bug
I've sent a request to tag this bug report with the 'wontfix' tag
and I'm now closing the bug (to get it of the release-critical bugs
tracker).
My personal opinion on this matter if anyone cares is that the
login.defs setting the reporter talks about is not a universal fix.
Tools like adduser doesn't care about it. The adduser tool is also the
one to use instead of useradd, et.al. from src:shadow if you want
"sane defaults" (according to debian policy etc).
If you insist on using other tools, then getting the right settings is
left up to you to control.
Regards,
Andreas Henriksson
--- End Message ---
