ikiwiki-hosting assumes that the website uids' home directories will be created with at least a+x permissions. This was the default in Debian 12, but changes in shadow and/or util-linux in Debian unstable (I'm not sure which of these closely related packages is actually responsible) have resulted in the default becoming 0700, which doesn't allow www-data and ikiwiki-anon to read the web content and source git repo respectively.

I think probably the way to solve this is to chmod the home directory to the permissions that ikiwiki-hosting expects; 0711 would probably be enough, but it doesn't seem like there's any real security benefit in denying the ability to list directory contents, because the contents of an ikiwiki-hosting website home directory are highly predictable anyway, and 0755 makes debugging easier. Patch below. --smcv

---

From: Simon McVittie <smcv@debian.org>
Date: Sat, 17 Aug 2024 21:19:09 +0100
Subject: ikisite: Explicitly set 0755 permissions on website user's $HOME

useradd in Debian 12 defaulted to this, but useradd in Debian 13
will create home directories with more restricted permissions by
default.

Signed-off-by: Simon McVittie <smcv@debian.org>
---
 ikisite | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ikisite b/ikisite
index 88a3def..a7276b5 100755
--- a/ikisite
+++ b/ikisite
@@ -1424,6 +1424,8 @@ sub usercreate {

    # create skeleton
    my $home=homedir($hostname);
+   # useradd in Debian 13 defaults to 0700 permissions on new $HOME
+   chmod(0755, $home);
    mkdir("$home/.ssh") || error "mkdir $home/.ssh: $!";
    mkdir("$home/tmp") || error "mkdir $home/tmp: $!";
    foreach my $file (".ssh", "tmp") {