adduser default for sgid home directories (was: Seeking consensus for some changes in adduser)
Back in March, I wrote in <YjInpj6X3Y9rAZcc@torres.zugschlus.de>,
https://lists.debian.org/debian-devel/2022/03/msg00304.html:
> My post-discussion answer to question (1c) is yes, but I am still open
> for arguments. If noone convinces me, the default for DIR_MODE will be
> changed to 2700 (see (4) below).
>
> (...)
>
> A setgid bit on a non-group-readable directory might seem strange
> though. Are there arguments against doing so aside from the ugly "S" in
> ls output?
We implemented that change last week, and promptly a bug report
(#1014901) appeared, giving what we consider good arguments to change
this back to 0700. Here is what the adduser team considers possible
documentation for this, and we itend to include this in NEWS.Debian as a
rationale for the change.
Please comment.
Suggested Documentation Text Follows:
In adduser 3.122, we implemented code that allows setting the default
for the mode bits of the home directory of a newly created system user
independently of the mode bits of the home directory of a newly created
non-system user (SYS_DIR_MODE vs DIR_MODE).
This was in part done to finally solve #643559, which requested setting
the sgid bit for the home directory of a non-system user by default, in
order to ease setting access permissions of shared workspaces in
multi-user systems. This default has oscillated back in forth in adduser
multiple times since the 1990ies, because both ways to set this bit by
default have advantages and disadvantages. After a preliminary request
for comment (see
https://lists.debian.org/debian-devel/2022/03/msg00098.html), the
default value for DIR_MODE was changed to 2700 in adduser 3.122 (July
2022). Sadly, though the technical reasoning for NOT setting the bit
have largely not survived the last two decades, here remain some use
cases impacted by the change which we were not fully aware of.
Promptly, #1014901 was filed, requesting that DIR_MODE be changed to
0700, effectively causing home directories of non-system users to be
created without the sgid bit. The biggest point in the reasoning is that
having the sgid bit set will need special measures to keep the home
directory's group ownership from propagating to file system images,
chroots, and archives, causing wrong file ownership/permissions in those
entities, which in turn might propagate to different systems and cause
security-related effects there. The bug report gives instructions to
reproduce the behavior.
System administrators who run multi-user environments which require
shared workspaces have tools at their disposal to change the default
behavior as their individual needs require, and likely are aware of how
to work around any issues that arise as part of that configuration; it
is also very possible that such systems may be managed using
configuration management software. In an age of general purpose use on
one end, and single purpose containers on the other, this is unlikely to
be the majority of newly installed systems.
So what remains is the decision to provide a sane default for a system
that is installed by an end-user, who may not understand or be aware of
this setting at all, but who still might use Internet HOW-TOs to build
chroots, images or archives, inadvertently causing security issues on
third-party systems. The clear and unsurprising solution is to leave
the sgid bit for newly created users off by default. This is also
important to keep the support effort for other packages down. Users
surprised by the behavior might file bugs against other packages,
increasing the effort necessary to support those other packages.
In adduser 3.123, DIR_MODE will be changeed to 0700, flipping the
default for the sgid bit once again to the value we have had for the
majority of Debian's existence period. With this change, Debian is
re-joining ranks again with ALL other major Linux distributions, none of
which setting the sgid bit on home directories to 1 (research done in
July 2022).
As the root user and its home directory is created by other means, this
primarily affects the one user that can be created in the Installer
before there is any possibility to configure adduser. Those users will
now again have the sgid bit of the home directory set to 0. Again,
system administrators have the tools and documentation to configure
their systems as their individual requirements dictate (using DIR_MODE,
and/or fixing those initial directories).
As mode 0700 provides both the most secure, unsurprising default, and is
in line with most other major distributions, the adduser team considers
the matter to be settled; any further discussion should come prepared
with rationale, support, convincing use cases and a significant public
discussion period.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Reply to: