Page MenuHomeSolus
Create Task
Maniphest T10379

New user home directory permissions not as expected
Closed, ResolvedPublic
Actions

Description

In this thread, it was discovered that new users get created with a home directory that have read and execute bits set for the Other group in the directory permissions. This allows other users to view what is in a user's home directory. The expectation is that these bits are not set, and only the user themselves (and anyone in the same group) should have access to their own home directory. Other distros likewise do not create home directories with these permissions set like Solus does; only the owner and group has read and execute permissions; not 'other'.

I briefly tried to find where this was set, but couldn't come up with anything.

Revisions and Commits

R2893 shadow
R2893:ac2336059a6a shadow: set HOME_MODE to 0770 in /etc/login.defs

Related Objects

Event Timeline

EbonJaeger created this task.Sep 7 2022, 2:02 PM
Herald added a project: Lacks Project. · View Herald TranscriptSep 7 2022, 2:02 PM
ermo claimed this task.May 4 2023, 5:21 PM
ermo triaged this task as High priority.
ermo edited projects, added Plumbing; removed Lacks Project.
ermo added a subscriber: ermo.

Gonna take a stab at this; we likely need this fixed before spinning 4.4 ISOs.

See T10440

ermo added a comment.EditedMay 4 2023, 5:35 PM

Research notes:

man useradd has the following section:

CONFIGURATION
       The following configuration variables in /etc/login.defs change the behavior of this tool:
(...)
       HOME_MODE (number)
           The mode for new home directories. If not specified, the UMASK is used to create the mode.

           useradd and newusers use this to set the mode of the home directory they create.
  • The bash package owns /usr/share/defaults/etc/profile.d/50-umask.sh and sets umask to 002
  • The shadow package owns /etc/login.defs

The following stanza exists in /etc/login.defs:

# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK           022

# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
#HOME_MODE	0700

Preliminary research thus suggests that setting _explicitly setting_ HOME_MODE 0700 in /etc/login.defs in the shadow package should fix this.

ermo added a comment.May 4 2023, 5:48 PM

Looks like the commented out HOME MODE 0700 setting in /etc/login.defs is indeed the issue:

ermo@solbox:/usr/share/defaults/etc
$ grep HOME_MODE /etc/login.defs 
# home directories if HOME_MODE is not set.
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
#HOME_MODE       0700
ermo@solbox:/usr/share/defaults/etc
$ sudo useradd -U -G dialout,audio,video,cdrom,lpadmin,sudo,scanner,plugdev,users,fuse,docker,sambashares -m -c "test umask settings for user creation" umasktest
Creating mailbox file: No such file or directory
ermo@solbox:/usr/share/defaults/etc
$ ls -la /home/
total 40
drwxr-xr-x  7 root      root       4096 May  4 19:43 .
drwxr-xr-x 21 root      root       4096 May  4 01:45 ..
drwxr-xr-x 76 ermo      ermo       4096 May  4 19:34 ermo
drwxr-xr-x 72 root      root       4096 Jan  9  2019 etc.bak
drwx------  2 root      root      16384 Jan 31  2019 lost+found
drwxr-xr-x 13 test      test       4096 Oct 12  2022 test
drwxr-xr-x  2 umasktest umasktest  4096 May  4 19:43 umasktest
ermo@solbox:/usr/share/defaults/etc
$ sudo userdel -fr umasktest
userdel: umasktest mail spool (/var/spool/mail/umasktest) not found
ermo@solbox:/usr/share/defaults/etc
$ sudo vi /etc/login.defs 
ermo@solbox:/usr/share/defaults/etc
$ grep HOME_MODE /etc/login.defs 
# home directories if HOME_MODE is not set.
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE       0700
ermo@solbox:/usr/share/defaults/etc
$ sudo useradd -U -G dialout,audio,video,cdrom,lpadmin,sudo,scanner,plugdev,users,fuse,docker,sambashares -m -c "test umask settings for user creation" umasktest
Creating mailbox file: No such file or directory
ermo@solbox:/usr/share/defaults/etc
$ ls -la /home/
total 40
drwxr-xr-x  7 root      root       4096 May  4 19:44 .
drwxr-xr-x 21 root      root       4096 May  4 01:45 ..
drwxr-xr-x 76 ermo      ermo       4096 May  4 19:34 ermo
drwxr-xr-x 72 root      root       4096 Jan  9  2019 etc.bak
drwx------  2 root      root      16384 Jan 31  2019 lost+found
drwxr-xr-x 13 test      test       4096 Oct 12  2022 test
drwx------  2 umasktest umasktest  4096 May  4 19:44 umasktest
ermo@solbox:/usr/share/defaults/etc
$
ermo closed this task as Resolved by committing R2893:ac2336059a6a: shadow: set HOME_MODE to 0770 in /etc/login.defs.May 5 2023, 12:03 PM
ermo added a commit: R2893:ac2336059a6a: shadow: set HOME_MODE to 0770 in /etc/login.defs.
ermo added a comment.May 5 2023, 12:05 PM
[Package] Building complete
 ⮞  Building succeeded
make[1]: Leaving directory '/home/ermo/solus-packages/shadow'

real    0m26,674s
user    0m18,311s
sys     0m13,795s
ermo@solbox:~/solus-packages/shadow [master* +1 ~2 -0 !]
$ grep -Hn HOME_MODE /etc/login.defs 
/etc/login.defs:198:# home directories if HOME_MODE is not set.
/etc/login.defs:204:# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
/etc/login.defs:206:# If HOME_MODE is not set, the value of UMASK is used to create the mode.
/etc/login.defs:207:#HOME_MODE  0700
ermo@solbox:~/solus-packages/shadow [master* +1 ~2 -0 !]
$ sudo epkg it shadow-4.8.1-19-1-x86_64.eopkg 
sudo: epkg: command not found
ermo@solbox:~/solus-packages/shadow [master* +1 ~2 -0 !]
$ sudo eopkg it shadow-4.8.1-19-1-x86_64.eopkg 
Installation order: shadow 
Installing shadow, version 4.8.1, release 19
Extracting the files of shadow
Installed shadow
 [✓] Syncing filesystems                                                success
 [✓] Updating manpages database                                         success
ermo@solbox:~/solus-packages/shadow [master* +1 ~2 -0 !]
$ grep -Hn HOME_MODE /etc/login.defs 
/etc/login.defs:198:# home directories if HOME_MODE is not set.
/etc/login.defs:204:# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
/etc/login.defs:206:# If HOME_MODE is not set, the value of UMASK is used to create the mode.
/etc/login.defs:207:HOME_MODE   0770
ermo@solbox:~/solus-packages/shadow [master* +1 ~2 -0 !]
$ sudo useradd -U -G dialout,audio,video,cdrom,lpadmin,sudo,scanner,plugdev,users,fuse,docker,sambashares -m -c "test umask settings for user creation" umasktest
Creating mailbox file: No such file or directory
ermo@solbox:~/solus-packages/shadow [master* +2 ~0 -0 !]
$ ls -la /home
total 40
drwxr-xr-x  7 root      root       4096 May  5 14:04 .
drwxr-xr-x 21 root      root       4096 May  4 01:45 ..
drwxr-xr-x 76 ermo      ermo       4096 May  5 14:03 ermo
drwxr-xr-x 72 root      root       4096 Jan  9  2019 etc.bak
drwx------  2 root      root      16384 Jan 31  2019 lost+found
drwxr-xr-x 13 test      test       4096 Oct 12  2022 test
drwxrwx---  2 umasktest umasktest  4096 May  5 14:04 umasktest
ermo@solbox:~/solus-packages/shadow [master* +2 ~0 -0 !]
$
ermo mentioned this in T10440: Solus 4.4 ISO checklist.May 5 2023, 12:08 PM
TClark77 mentioned this in T10560: permissions for /root are too lax.Jun 21 2023, 4:49 PM
Copyright © 2015-2021 Solus Project. The Solus logo is Copyright © 2016-2021 Solus Project. All Rights Reserved.