adduser (3.123) unstable; urgency=medium

  The default for DIR_MODE has been set to 0700 for this release. Detailed
  explanation follows.

  In adduser 3.122, we implemented code that allows setting the default
  for the mode bits of the home directory of a newly created system user
  independently of the mode bits of the home directory of a newly created
  non-system user (SYS_DIR_MODE vs DIR_MODE).

  This was in part done to finally solve #643559, which requested setting
  the sgid bit for the home directory of a non-system user by default, in
  order to ease setting access permissions of shared workspaces in multi-
  user systems. This default has oscillated back in forth in adduser
  multiple times since the 1990ies, because both ways to set this bit by
  default have advantages and disadvantages.  After a preliminary request
  for comment (see
  https://lists.debian.org/debian-devel/2022/03/msg00098.html), the
  default value for DIR_MODE was changed to 2700 in adduser 3.122
  (July 2022).  Sadly, though the technical reasoning for NOT setting
  the bit have largely not survived the last two decades, here remain some
  use cases impacted by the change which we were not fully aware of.

  Promptly, #1014901 was filed, requesting that DIR_MODE be changed to
  0700, effectively causing home directories of non-system users to be
  created without the sgid bit. The biggest point in the reasoning is that
  having the sgid bit set will need special measures to keep the home
  directory's group ownership from propagating to file system images,
  chroots, and archives, causing wrong file ownership/permissions in
  those entities, which in turn might propagate to different systems
  and cause security-related effects there.  The bug report gives
  instructions to reproduce the behavior.

  System administrators who run multi-user environments which require
  shared workspaces have tools at their disposal to change the default
  behavior as their individual needs require, and likely are aware of
  how to work around any issues that arise as part of that configuration;
  it is also very possible that such systems may be managed using
  configuration management software.  In an age of general purpose use
  on one end, and single purpose containers on the other, this is
  unlikely to be the majority of newly installed systems.

  So what remains is the decision to provide a sane default for a system
  that is installed by an end-user, who may not understand or be aware of
  this setting at all, but who still might use Internet HOW-TOs to
  build chroots, images or archives, inadvertently causing security
  issues on third-party systems. The clear and unsurprising solution
  is to leave the sgid bit for newly created users off by default.
  This is also important to keep the support effort for other packages
  down. Users surprised by the behavior might file bugs against other
  packages, increasing the effort necessary to support those other packages.

  In this version of the package, DIR_MODE will be changed to 0700,
  flipping the default for the sgid bit once again to the value we have
  had for the majority of Debian's existence period. With this change,
  Debian is re-joining ranks again with ALL other major Linux
  distributions, none of which setting the sgid bit on home directories
  to 1 (research done in July 2022).

  This primarily affects the one user that can be created in the Installer
  before there is any possibility to configure adduser. Those users will
  now again have the sgid bit of the home directory set to 0. Again,
  system administrators have the tools and documentation to configure
  their systems as their individual requirements dictate (using
  the DIR_MODE setting in adduser.conf, and/or fixing those initial
  directories).

  As mode 0700 provides both the most secure, unsurprising default, and
  is in line with most other major distributions, the adduser team
  considers the matter to be settled; any further discussion should come
  prepared with rationale, support, convincing use cases and a significant
  public discussion period.

 -- Marc Haber <mh+debian-packages@zugschlus.de>  Wed, 20 Jul 2022 10:51:21 +0200

adduser (3.122) unstable; urgency=low

  This version implements SYS_DIR_MODE for home directories belonging 
  to system users.  Default directory modes are now 2700 for
  regular users, and 0755 for system users.

  Note that this is a change from historical defaults, which
  were more permissive for normal user home directories.
  Adjustments may need to be made for setups like public_html
  web content, or in-homedir mail configurations.

  --add_extra_groups is now --add-extra-groups. The old spelling
  is still possible and will remain supported during Debian bookworm,
  allowing package maintainers and local users to slowly migrate during
  the bookworm cycle.

  --force-badname is now --allow-badname. The old spelling is still
  possible and will remain supported during Debian bookworm, allowing
  package maintainers and local users to slowly migrate during the
  bookworm cycle.

  System user home defaults to /nonexistent if --home is not specified.
  Packages that call adduser to create system accounts should explicitly
  specify a location for /home (see Lintian check 
  maintainer-script-lacks-home-in-adduser).

 -- Marc Haber <mh+debian-packages@zugschlus.de>  Wed, 13 Jul 2022 20:30:00 +0200
