diff --git a/etc/login.defs b/etc/login.defs
index cd2597dc..a2f8cd50 100644
--- a/etc/login.defs
+++ b/etc/login.defs
@@ -195,12 +195,17 @@ KILLCHAR 025
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
-# home directories.
+# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
+# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
+# home directories.
+# If HOME_MODE is not set, the value of UMASK is used to create the mode.
+#HOME_MODE 0700
+
#
# Password aging controls:
#
diff --git a/lib/getdef.c b/lib/getdef.c
index bbb273f4..00f6abfe 100644
--- a/lib/getdef.c
+++ b/lib/getdef.c
@@ -93,6 +93,7 @@ static struct itemdef def_table[] = {
{"FAKE_SHELL", NULL},
{"GID_MAX", NULL},
{"GID_MIN", NULL},
+ {"HOME_MODE", NULL},
{"HUSHLOGIN_FILE", NULL},
{"KILLCHAR", NULL},
{"LASTLOG_UID_MAX", NULL},
diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml
index ebf60ba3..9e95da20 100644
--- a/man/login.defs.5.xml
+++ b/man/login.defs.5.xml
@@ -50,6 +50,7 @@
+
@@ -185,6 +186,7 @@
&FAKE_SHELL;
&FTMP_FILE;
&GID_MAX;
+ &HOME_MODE;
&HUSHLOGIN_FILE;
&ISSUE_FILE;
&KILLCHAR;
@@ -401,6 +403,7 @@
ENCRYPT_METHOD
GID_MAX GID_MIN
MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
+ HOME_MODE
PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
SHA_CRYPT_MAX_ROUNDS
SHA_CRYPT_MIN_ROUNDS
@@ -481,6 +484,7 @@
CREATE_HOME
GID_MAX GID_MIN
+ HOME_MODE
LASTLOG_UID_MAX
MAIL_DIR MAX_MEMBERS_PER_GROUP
PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
diff --git a/man/login.defs.d/UMASK.xml b/man/login.defs.d/UMASK.xml
index d7b71a5e..0f061dbb 100644
--- a/man/login.defs.d/UMASK.xml
+++ b/man/login.defs.d/UMASK.xml
@@ -37,7 +37,8 @@
useradd and newusers use this
- mask to set the mode of the home directory they create
+ mask to set the mode of the home directory they create if
+ is not set.
It is also used by login to define users' initial
diff --git a/src/newusers.c b/src/newusers.c
index 99c69f78..e9fe0e27 100644
--- a/src/newusers.c
+++ b/src/newusers.c
@@ -1216,9 +1216,9 @@ int main (int argc, char **argv)
if ( ('\0' != fields[5][0])
&& (access (newpw.pw_dir, F_OK) != 0)) {
/* FIXME: should check for directory */
- mode_t msk = 0777 & ~getdef_num ("UMASK",
- GETDEF_DEFAULT_UMASK);
- if (mkdir (newpw.pw_dir, msk) != 0) {
+ mode_t mode = getdef_num ("HOME_MODE",
+ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+ if (mkdir (newpw.pw_dir, mode) != 0) {
fprintf (stderr,
_("%s: line %d: mkdir %s failed: %s\n"),
Prog, line, newpw.pw_dir,
diff --git a/src/useradd.c b/src/useradd.c
index 4af0f7c6..8b453e3c 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2152,8 +2152,9 @@ static void create_home (void)
}
(void) chown (prefix_user_home, user_id, user_gid);
- chmod (prefix_user_home,
- 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+ mode_t mode = getdef_num ("HOME_MODE",
+ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+ chmod (prefix_user_home, mode);
home_added = true;
#ifdef WITH_AUDIT
audit_logger (AUDIT_ADD_USER, Prog,