From 5aaec6a5be50c77eb7feb5217f2d26b2fafd3a01 Mon Sep 17 00:00:00 2001 From: David Runge Date: Mon, 31 Oct 2022 10:10:22 +0100 Subject: [PATCH 3/3] Add Arch Linux defaults for login.defs etc/login.defs: - Change `ENV_SUPATH` and `ENV_SUPATH` to only use /usr/local/sbin:/usr/local/bin:/usr/bin as Arch Linux is a /usr and bin merge distribution. - Set `HOME_MODE` to `0700` to be able to rely on a `UMASK` of `022` while creating home directories in a privacy conserving manner. - Change SYS_UID_MIN and SYS_GID_MIN to 500 which gives more space for distribution added UIDs and GIDs of system users. - Change ENCRYPT_METHOD to YESCRYPT as it is a safer hashing algorithm than DES. --- etc/login.defs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/etc/login.defs b/etc/login.defs index 797ca6b3..c4accbf8 100644 --- a/etc/login.defs +++ b/etc/login.defs @@ -55,8 +55,8 @@ HUSHLOGIN_FILE .hushlogin # *REQUIRED* The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) -ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin -ENV_PATH PATH=/bin:/usr/bin +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin +ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin # # Terminal permissions @@ -84,7 +84,7 @@ UMASK 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. -#HOME_MODE 0700 +HOME_MODE 0700 # # Password aging controls: @@ -103,7 +103,7 @@ PASS_WARN_AGE 7 UID_MIN 1000 UID_MAX 60000 # System accounts -SYS_UID_MIN 101 +SYS_UID_MIN 500 SYS_UID_MAX 999 # Extra per user uids SUB_UID_MIN 100000 @@ -116,7 +116,7 @@ SUB_UID_COUNT 65536 GID_MIN 1000 GID_MAX 60000 # System accounts -SYS_GID_MIN 101 +SYS_GID_MIN 500 SYS_GID_MAX 999 # Extra per user group ids SUB_GID_MIN 100000 @@ -152,7 +152,7 @@ CHFN_RESTRICT rwh # Note: If you use PAM, it is recommended to use a value consistent with # the PAM modules configuration. # -#ENCRYPT_METHOD DES +ENCRYPT_METHOD YESCRYPT # # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. -- 2.44.0