Hi,

adduser maintainer here. Adduser currently has a single debconf
question, "Do you want system-wide readable home directories?",
resulting in the setting of DIR_MODE in adduser.conf.

Adduser is going to change its default in the future to 2700 due to a
number of sensible bug reports requesting more account security. The
only situation where the Debconf question still makes sense in these
days is the Installer, since when the Installer creates the first user
account, the user did not yet have the opportunity to edit adduser.conf.

How does the Debian installer team think about adduser removing this
debconf question in a future release, causing the account created on installation to be created with home directory mode 2700?

adduser would become debconf-less that way, which would make the package
a lot easier.

Thanks for sharing your opinion. Please keep me on Cc for your replies,
I am not subscribed to debian-boot.

Greetings
Marc

-- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Marc,

Marc Haber <mh+debian-packages@zugschlus.de> (2022-03-22):

adduser maintainer here. Adduser currently has a single debconf
question, "Do you want system-wide readable home directories?",
resulting in the setting of DIR_MODE in adduser.conf.

Adduser is going to change its default in the future to 2700 due to a
number of sensible bug reports requesting more account security. The
only situation where the Debconf question still makes sense in these
days is the Installer, since when the Installer creates the first user account, the user did not yet have the opportunity to edit adduser.conf.

How does the Debian installer team think about adduser removing this
debconf question in a future release, causing the account created on installation to be created with home directory mode 2700?

adduser would become debconf-less that way, which would make the package
a lot easier.

At first glance, letting d-i use whatever the default is would look good
to me. People having strong opinions about this setting can always
adjust the configuration after the installation?

Please keep me on Cc for your replies, I am not subscribed to
debian-boot.

Done.


Cheers,
--
Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmI51RcACgkQ/5FK8MKz VSBvZA//UiydXE9Msan+6S5ndsyg+DdjhSiolAg52iIV83NxoecXyQ+zo+JDBahM kY50+oYWgcUMInlAbOIsjLSwdA6yPPLEQjwebtVXxqtIdV0mQdDk59Qr+f9HdQR1 7lUnRQT+E1tpRPdT4zSs+YOYow6u2HLoJMDN8Xdl1Fdd7RhJhTDt1hldeTIfqul/ y6tEI/XfkXN+zsO7li0eR1YGbl4N37Xz98VjEBnaX91JMD9O2x1Y9UKrJx7rEjNu OUe0i/1iK/A8ch7M3onF/VN5DmFNiawiHGh6w1ucCALVQWdqjS6+UWg+mIUMcZnm PWBh/7L0Bpsp+9EGV8yXCkhWP0cXxX1RLJm0JyxgECPRL5E4MykU+TJJe+9w6+Pj PUzxvAj5KXSwAAJUeG4hJmuq0rjA2skRQFGwA2mWXaF7CoAW/SWcI6XBChoyDoyE zFiIQ5fH+4avRwufY/6M/p/di0Pi7zxJLtRaG5YvTh9Do+IAFFIjmn9kCLOenj2B OfU59717MVo+kvtDb9wothjClHQJdG0QkVz0OTY1Z6wIuVYwIdWULVxJ21SG967H aWI3cl6M8XuGWxebkjj5ErQMtr8ZJSMyYMKDnpMwS2PETXzTjMzjnPGjvmJzwpo/ IHjauqlyvzN8yWSkiSAQPTk7J70SSmQpET6BjsJJxhOtgWucK5k=
=bCVP
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
*

On Tue, Mar 22, 2022 at 02:54:36PM +0100, Cyril Brulebois wrote:

People having strong opinions about this setting can always
adjust the configuration after the installation?

Sure they can, it's a dpkg-conffile¹ after all, but they'll have to
manually adapt the account created by d-i if they want it differently.

Greetings
Marc

¹ frankly, it isn't, at the moment, but it will be once we have ditched debconf.


-- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Marc Haber <mh+debian-packages@zugschlus.de> writes:

On Tue, Mar 22, 2022 at 02:54:36PM +0100, Cyril Brulebois wrote:

People having strong opinions about this setting can always
adjust the configuration after the installation?

Sure they can, it's a dpkg-conffile¹ after all, but they'll have to
manually adapt the account created by d-i if they want it differently.

That's just a case of running `chmod g+rw /home/*` though isn't it?

They'll presumably also want to do that to deal with any other users
created before they change the setting, so it seems like no extra effort really. I'd have thought that anyone with an opinion about changing
the default will also know they need to run that chmod.

Cheers, Phil.
--
|)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd.
|-| http://www.hands.com/ http://ftp.uk.debian.org/
|(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3/FBWs4yJ/zyBwfW0EujoAEl1cAFAmI5/oUACgkQ0EujoAEl 1cCutw/+LQlND37GXnYQ4Msd3xeW1jopEhz0Xhw0iLltO9eqVO4cW46T8AY1CQpP zMjAF31jF3eHyr4GQyZp1WqFN8Qsi3023MPPfOpUW7x9XHlTANb5RtsHYq28w6MP LdeoNXDa+0Lk97xBzP/Sf1uNnSSbutS8aGOMlqatqE2Iyd4N7Z92AFbQsOks0hFw SmIHls1v4cDCEYksAtQR0c28peSoDB05NjVw70O4x/qhh9UvDQMIriRBFs53p89V n1Dkv6xM70bPIgoPClFZaln8WaTMr9y23AJvCnq4vR8Gihfkvf6F7JjxHSgtxL0P MvUdhgiR/Pbrhp75mMF+SMeRO3hPbjTXZm0UpO70mgrYe6IhlKlMxXuXidqpl6aH 8i2HRRpFt2wWOpIskD8iaJX4ZsMeXd2bXHNCmq8ZAZosRuJMziOnwRZk8zl2OhBl EWbCPS2nD6x1wVuouB/QyUxkXwjzfpv1ly0HdBgfJpi4aTz3czuWPat8q//sMFZ/ 0qOo24JnFTRo3HGnJqb/GnTo15/heRERT7nzNNTVhLG38v5GiSSefCMXveiKFCzv aqL00wtn6f70JgeBdsd7LK0Hs0ElYMZbXklPgIt0apoWql4U2owLVWU6GsiT5pAI hE1zMb7yjKQ4L4F

Philip Hands <phil@hands.com> (2022-03-22):

They'll presumably also want to do that to deal with any other users
created before they change the setting, so it seems like no extra
effort really. I'd have thought that anyone with an opinion about
changing the default will also know they need to run that chmod.

Right, that's what I meant: such people can probably do sed and chmod.


Cheers,
--
Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmI6B1EACgkQ/5FK8MKz VSDd6Q/+O/Eo3kyaPLgtTCY4D8b2qCvmBhM09uDVPGOHPlxOd/HQphif8dg+EN1B OabPYplfeBk50fc707Ce92QLF9CHYt8Wlmfy2i5Ly/WutOQr9zAerCYTfgF7zHIl rA0uPY/EOBOGHDfknKUaFxY4IFI2kBL6WE6KfJIr5LHVk+kAAGOqGexJMZOiWlcJ M1/R76XWKV8kW4EKJXyu132ZuDREnnbIsxa3U1u+qEe0F3rn5JJs4LH8lbLXtEFA CQm1d0dhAMCYkcd9wm2IQioPp+VrSTlcTSPKJEEFZDqoD7os8rfaqc8Wv1yeRiWt V9S7BiS0f3jxc1pZJzB8vvcjiYOsLNCBUcz4ZAcesxpmNwBHCTyeLy4XZ0R6Ss+S +WVFvziDrr2Ku5QzI4ngiE1sESD3tqHyaNsWe/EC/7J6PwnwrFvRhxHbZ6fKkaKB 1/jldbTNWC6jJOsH1IndSmf5wbr5MD725+14lMHIRPblAfDj07eSQJLnEWW22oM2 x88zcJhyJPuEuS0UM5ZZHSHC+jDjebGQjN2ShlaW0+y4FJIxY8yRQufn0k2Y7tY4 /SEIruVccxBpJvuYa0Z5W+ZTqRIRWIyuHeQ6Sc8u3k+nLuToXVExS7F5jkJ6+CnF l6p21lOACZRL0Q1g5OWoqkhzvtcB4K8kEhBi7Ej/BwwPk3ZKS58=
=odPM
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
*

Bjørn Mork <bjorn@mork.no> writes:

Philip Hands <phil@hands.com> writes:

That's just a case of running `chmod g+rw /home/*` though isn't it?

I guess you meant `chmod g+r /home/*`.

Yes.

Cheers, Phil.
--
|)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd.
|-| http://www.hands.com/ http://ftp.uk.debian.org/
|(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3/FBWs4yJ/zyBwfW0EujoAEl1cAFAmI64HAACgkQ0EujoAEl 1cCY+A/+K3U3Rh7cmRV5x9R1cQDbq+EmRGlLygr725pcz6Oq04gN9etD8pHuRQCp 74ikMdMtOuYCjqjZeTtFVOsWZZqr76Qg7p+4PmYKz8Nam3cVqrD2eaXXp4s5dtTP 7oFqDfsR91Pc2/7wR5UzowLssUBpgNdXufX+E+JZ2+WNa46AUOL2pSSn7foh825q fXBjGWjLqdZ9pJLIZw+tsuqHvCE7uHqRImgt+lqKaTD0mu/73I6OzSPfUUKwu8Du P3mHfFJE5ky6ixBPIpA/dla8txKAsnCf3pxiXWQLNfgM76/XSROTJDO0/tKYXkvY erGCZqQ3143elwKaZKMf/BZUX0+dklBoON6kjV9XjNHzw/kXFuRVAFoMK1P6NVy9 s0jk1OiH6ZpevmskRrtRA2d5Sb7ldRKYC+ZePMMfr3KbaX0isYUvbOEJSI6eVAl/ Tnw7Z1HJ8CCLEqAk8rj1mxF+YR7rE8MJjKlwf5RgfC4WSZPP6gvJp6LNN8NrTXe8 67BqceNldG9yUOGWOtcigTuPgNZM7I549Q+sg6OSI/hx0dOPf0q1SaPjBZj2kzsS TkVW2jDqJsAOpjQBleld1CgfYoMRyVkxO89P54VWMqov6m7npzv0XE/d6/slzcog q9yBngcsFjp59J5

Philip Hands <phil@hands.com> writes:

That's just a case of running `chmod g+rw /home/*` though isn't it?

I guess you meant `chmod g+r /home/*`. Group writable home will upset
quite a few applications, whether the groups are unique per user or
not.


Bjørn

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi

On Tue, Mar 22, 2022 at 12:01:03PM +0100, Marc Haber wrote:

adduser maintainer here. Adduser currently has a single debconf
question, "Do you want system-wide readable home directories?",
resulting in the setting of DIR_MODE in adduser.conf.

How does the Debian installer team think about adduser removing this
debconf question in a future release, causing the account created on installation to be created with home directory mode 2700?

These changes are in unstable now. So please expect adduser in the
installer to ask one less question.

Greetings
Marc

-- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Aug 21, 2022 at 10:06:58PM +0200, Marc Haber wrote:

Hi

On Tue, Mar 22, 2022 at 12:01:03PM +0100, Marc Haber wrote:

adduser maintainer here. Adduser currently has a single debconf
question, "Do you want system-wide readable home directories?",
resulting in the setting of DIR_MODE in adduser.conf.

How does the Debian installer team think about adduser removing this
debconf question in a future release, causing the account created on
installation to be created with home directory mode 2700?

These changes are in unstable now. So please expect adduser in the
installer to ask one less question.

ACK, thanks for the heads-up!

--
Steve McIntyre, Cambridge, UK. steve@einval.com The two hard things in computing:
* naming things
* cache invalidation
* off-by-one errors -- Stig Sandbeck Mathisen

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

Steve McIntyre <steve@einval.com> wrote (Sun, 21 Aug 2022 21:51:06 +0100):

On Sun, Aug 21, 2022 at 10:06:58PM +0200, Marc Haber wrote:

Hi

On Tue, Mar 22, 2022 at 12:01:03PM +0100, Marc Haber wrote:

adduser maintainer here. Adduser currently has a single debconf
question, "Do you want system-wide readable home directories?",
resulting in the setting of DIR_MODE in adduser.conf.

How does the Debian installer team think about adduser removing this
debconf question in a future release, causing the account created on
installation to be created with home directory mode 2700?

These changes are in unstable now. So please expect adduser in the >installer to ask one less question.

ACK, thanks for the heads-up!

Hmm. Sorry for the long delay!

I cannot find any such message in installer's debconf material or
translations.

So, there are two possible situations:
- the adduser questions are somehow not asked in the installer world;
- we lack documentation for this case, and adduser is indeed included in
the installer, but this cannot be found in installer's translation
statistics.


I cannot remember having seen any such message ("Do you want system-wide readable home directories?") during test installations BTW.


Holger



--
Holger Wansing <hwansing@mailbox.org>
PGP-Fingerprint: 496A C6E8 1442 4B34 8508 3529 59F1 87CA 156E B076

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Aug 28, 2022 at 02:07:08AM +0200, Holger Wansing wrote:

I cannot remember having seen any such message ("Do you want system-wide readable home directories?") during test installations BTW.

Test installation in expert mode?

Greetings
Marc

-- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

Am 28. August 2022 09:12:40 MESZ schrieb Marc Haber <mh+debian-boot@zugschlus.de>:

On Sun, Aug 28, 2022 at 02:07:08AM +0200, Holger Wansing wrote:

I cannot remember having seen any such message ("Do you want system-wide
readable home directories?") during test installations BTW.

Test installation in expert mode?

I'm aware of expert mode, but even there I don't remember any
such message.

Holger



--
Sent from /e/ OS on Fairphone3

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

Holger Wansing <hwansing@mailbox.org> wrote (Sun, 28 Aug 2022 11:21:38 +0200):

Hi,

Am 28. August 2022 09:12:40 MESZ schrieb Marc Haber <mh+debian-boot@zugschlus.de>:

On Sun, Aug 28, 2022 at 02:07:08AM +0200, Holger Wansing wrote:

I cannot remember having seen any such message ("Do you want system-wide >> readable home directories?") during test installations BTW.

Test installation in expert mode?

I'm aware of expert mode, but even there I don't remember any
such message.

There's a comment, that adduser is called in noninteractive mode
(user-setup package).

That explains, I guess.

Holger



--
Holger Wansing <hwansing@mailbox.org>
PGP-Fingerprint: 496A C6E8 1442 4B34 8508 3529 59F1 87CA 156E B076

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Aug 28, 2022 at 11:36:58AM +0200, Holger Wansing wrote:

There's a comment, that adduser is called in noninteractive mode
(user-setup package).

That explains, I guess.

Probably. And it can go away for bookworm.

Greetings
Marc

-- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)