Red Hat Bugzilla – Bug 170750
Home dir permissions not consistent
Last modified: 2007-11-30 17:11:15 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050923 Epiphany/1.6.5 Description of problem: Adding a user to the system is not consistent across the gui and command line tools. The adduser and useradd utilites create world readable home directories. The gui tool creates a user readable home directory. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: x Additional info:
Reproducable in devel on 13th Jan 2006. system-config-users-1.2.41-1.1 shadow-utils-4.0.14-1
This will have to wait until after FC5 is out as s-c-users uses libuser which uses /etc/libuser.conf (and not /etc/login.defs) which doesn't provide means to set the home directory mode.
libuser currently hardcodes mode 0700. I personally consider the default permissions of 0750 on home directories created by adduser a security issue (if not in the application, at minimum in the default configuration); useradd did use 0700 in the past (using an RH patch to the default configuration, IIRC), why was it changed? #160644 doesn't really explain anything, neither does the lack of an upstream answer in the thread at #160644c2; security should trump upstream defaults IMHO. I must have overlooked some important reason for the status quo... As I recall, firstboot is now using luseradd to add users only because luseradd uses mode 0700.
off-topic, but you'd probably be horrified to see what debian does: world readable /home/username AND /root/. ugh.
Finally, I changed shadow-utils to use mode 0700 by default. shadow-utils-4.0.14-3