Bug 170750

Summary: Home dir permissions not consistent
Product: [Fedora] Fedora Reporter: Need Real Name <lsof>
Component: system-config-usersAssignee: Peter Vrabec <pvrabec>
Status: CLOSED RAWHIDE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: mitr, n0dalus+redhat, nphilipp
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-07 15:38:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Need Real Name 2005-10-14 12:39:27 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050923 Epiphany/1.6.5

Description of problem:
Adding a user to the system is not consistent across the gui and command line tools.

The adduser and useradd utilites create world readable home directories.
The gui tool creates a user readable home directory.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
x

Additional info:
Comment 3 n0dalus 2006-01-13 11:41:47 UTC 
Reproducable in devel on 13th Jan 2006.

system-config-users-1.2.41-1.1
shadow-utils-4.0.14-1
Comment 4 Nils Philippsen 2006-03-07 12:22:12 UTC 
This will have to wait until after FC5 is out as s-c-users uses libuser which
uses /etc/libuser.conf (and not /etc/login.defs) which doesn't provide means to
set the home directory mode.
Comment 6 Miloslav Trmač 2006-03-07 14:02:45 UTC 
libuser currently hardcodes mode 0700.

I personally consider the default permissions of 0750 on home directories
created by adduser a security issue (if not in the application, at minimum in
the default configuration); useradd did use 0700 in the past (using an RH
patch to the default configuration, IIRC), why was it changed?

#160644 doesn't really explain anything, neither does the lack of an upstream
answer in the thread at #160644c2;  security should trump upstream defaults
IMHO.  I must have overlooked some important reason for the status quo...

As I recall, firstboot is now using luseradd to add users only because luseradd
uses mode 0700.
Comment 7 Need Real Name 2006-03-07 14:09:10 UTC 
off-topic, but you'd probably be horrified to see what debian does:
world readable /home/username AND /root/. ugh.
Comment 8 Peter Vrabec 2006-03-07 15:38:44 UTC 
Finally, I changed shadow-utils to use mode 0700 by default.
shadow-utils-4.0.14-3