Private home directories for hirsute onwards

[Alex Murray]

Just to follow up on this thread - since there was no opposition to this
proposal, I have uploaded updated adduser and shadow packages to
hirsute-proposed to support setting the mode of home directories to 750
by default when they are created via either adduser or useradd.

Let me know if you encounter any significant issues :)

On Fri, 2020-11-27 at 16:40:48 +1030, Alex Murray wrote:

> On Fri, 2020-11-27 at 03:39:36 +1030, Dimitri John Ledkov wrote:
>
>> On Thu, Nov 26, 2020 at 2:31 AM Alex Murray <alex.murray at canonical.com> 
>> wrote:
>>>
>>> setfacl -m u:libvirt-qemu:rx $HOME
>>>
>>
>> Similar to above for qemu are there similar setfacl commands, would
>> something similar be also needed for:
>> - sshd user to access ~/.ssh/authorized_keys , or nothing needed
>> there?
>
> There is nothing needed here, ssh with public key auth works fine with
> 750 $HOME - sshd runs as root so this is fine
>
>> - in GNOME making ~/Public public?
>
> Also tested this and is fine - gnome-user-shame spawns apache2 running
> as the target user to share via webdav so this also works
>
>> - giving access to ~/public_html for the www-data user?
>
> This also needs the same ACL based approach:
>
> setfacl -m u:www-data:rx $HOME
>
>>
>> If yes, then what are the commands?
>>
>> I like this approach of selective and explicit setfacl commands to
>> grant ACLs on per-usecase basis. This is inline with modern ways of
>> managing permissions.
>>
>> -- 
>> Regards,
>>
>> Dimitri.