Indeed.
lynis complaining ins’t too bad.
- complains about many things that probably don’t apply to us
- we could report a bug
- we could drop a config snippet if possible
Disadvantage of umask 077 would be that:
- has no security advantage
- breaks the standard / Debian default
- could have unforeseeable bugs
- users who are accustomed to things like
addgroup someusername someusergroupsameasUPGfor whatever they might be doing. Perhaps two different (server) applications that need to access each other’s home folder.
Therefore keeping the Debian default seems to take priority over output by lynis.
From reading the bug reports, to implement this, looks like the following has to be done.
/etc/login.defs
change
UMASK 022
to
UMASK 006
/etc/pam.d/common-account and/or(?)
/etc/pam.d/common-session-noninteractive
add
session optional pam_umask.so usergroups
There are no drop-in config folders unfortunately?
Could you test this please? If it works, submit a pull request of these files against security-misc package? First, please submit the original file as per Debian buster unmodified. In another commit, amend the file.
Bonus: config-package-dev displace; debian/copyright / COPYING, but I can apply that on top too.