Hello, Am Donnerstag, 5. August 2021, 09:18:45 CEST schrieb Thorsten Kukuk:
After the discussion the last days about creating users and the defaults used for it, I looked at our defaults and where we deriviate from upstream, other Linux distributions and other tools we use already today.
In case someone wonders what the config options do, see man login.defs and/or the comments in /usr/etc/login.defs.
We change explicit: USERGROUPS_ENAB from "yes" to "no". All other tools we provide and other distros do create usergroups by default, so I suggest to change it back to "USERGROUPS_ENAB yes".
Makes sense.
CREATE_HOME from "yes" to "no". I did never understand why we disabled this. All other tools we provide and other distros create the home directory by default. I would suggest to change that back to "yes".
Also makes sense.
FORCE_SHADOW from "yes" to "no". I also don't understand this change. We should revert that change, so we don't need the hacks in other places to split passwd later during installation. If we enforce the shadow usage later, why not from the beginning?
Agreed. Sidenote:This option is not documented in man login.defs - worth a bugreport?
HOME_MODE not set We should set "HOME_MODE 0700" as other distros do.
I'm not sure about that because - it breaks ACLs (which will become "effective ---" AFAIK) - it breaks ~/public_html Since you also propose to create a group for each user, we could use 0710 or 0750. This would technically not add any permissions (unless you add another user to your $USERNAME group), but it would give us working ACLs. Working ACLs would allow to add exceptions that could help with ~/public_html. (Not sure if we should create an ACL for wwwrun to be able to reach ~/public_html by default, but that's a discussion for bonus points anyway ;-) I also wonder if we should make UMASK more restrictive - maybe 0027 instead of the current 0022? Regards, Christian Boltz --
Das hatte ich (samt Kommentar aus der /etc/postfix/transport) doch schon in meiner letzten Mail erklärt ... ;) Sandy ist schuld ;-) Erst mit seiner Erklärung ist mir aufgefallen, dass ich es nicht verstanden habe. [> David Haller und Peter Mc Donough in opensuse-de]