Red Hat Bugzilla – Bug 170750
Home dir permissions not consistent
Last modified: 2007-11-30 17:11:15 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050923 Epiphany/1.6.5
Description of problem:
Adding a user to the system is not consistent across the gui and command line tools.
The adduser and useradd utilites create world readable home directories.
The gui tool creates a user readable home directory.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Reproducable in devel on 13th Jan 2006.
This will have to wait until after FC5 is out as s-c-users uses libuser which
uses /etc/libuser.conf (and not /etc/login.defs) which doesn't provide means to
set the home directory mode.
libuser currently hardcodes mode 0700.
I personally consider the default permissions of 0750 on home directories
created by adduser a security issue (if not in the application, at minimum in
the default configuration); useradd did use 0700 in the past (using an RH
patch to the default configuration, IIRC), why was it changed?
#160644 doesn't really explain anything, neither does the lack of an upstream
answer in the thread at #160644c2; security should trump upstream defaults
IMHO. I must have overlooked some important reason for the status quo...
As I recall, firstboot is now using luseradd to add users only because luseradd
uses mode 0700.
off-topic, but you'd probably be horrified to see what debian does:
world readable /home/username AND /root/. ugh.
Finally, I changed shadow-utils to use mode 0700 by default.