FS#15934 - [pam] inconsistent umask configuration
Attached to Project:
Arch Linux
Opened by Dr. Markus Waldeck (waldeck) - Friday, 14 August 2009, 15:32 GMT
Last edited by Tobias Powalowski (tpowa) - Wednesday, 09 September 2009, 06:34 GMT
Opened by Dr. Markus Waldeck (waldeck) - Friday, 14 August 2009, 15:32 GMT
Last edited by Tobias Powalowski (tpowa) - Wednesday, 09 September 2009, 06:34 GMT
|
Details
Description:
I tried to configure pam_umask and it did not work. The problem is caused by following default configurations: /etc/login.defs UMASK 077 and /etc/login.defs umask 022 If both lines are commented the default value 0022 is used and it is possible to use pam_umask. Additional info: filesystem 2009.07-1 (/etc/profile) shadow 4.1.4.2-1 (/etc/login.defs) Steps to reproduce: Comment the mentioned lines and configure pam_umask as described in the man page: Add the following line to /etc/pam.d/login to set the user specific umask at login: session optional pam_umask.so umask=0027 |
This task depends upon
Closed by Tobias Powalowski (tpowa)
Wednesday, 09 September 2009, 06:34 GMT
Reason for closing: Not a bug
Wednesday, 09 September 2009, 06:34 GMT
Reason for closing: Not a bug
The /etc/profile setting should not affect pam.
The one in login.defs should be the default, and is there for default home directory permissions and non-shell based things. 022 is later set in the shell by /etc/profile as it's a little more friendly to multi-user machines.
I am not really sure what the issue here is. If you're changing your system configuration, it's expected to change config files.... this would be part of that. If there is a bug in pam, please report it upstream.
"Does not work" is a terrible bug description. Can you please attempt to explain in more detail?
Correct! (Sorry, cut and waste)
> The /etc/profile setting should not affect pam.
But it does!
The setting in the /etc/profile overwrites the setting which is done by pam_umask because of the fact that the shell is executed after PAM.
Test Case 1:
I added following line at the end of /etc/pam.d/login and /etc/pam.d/su
session optional pam_umask.so
and modified /etc/passwd (umask=0077) in the GECOS field
USER:x:UID:GID:umask=0077:HOME:SHELL
If I login in with the default configuration in /etc/profile (umask 022):
$ umask
0022
Test Case 2:
Modify /etc/pam.d/login and /etc/passwd as mentioned above, comment the relevant line in /etc/profile and login in:
$ umask
0077
> I am not really sure what the issue here is.
I see. If you login or invoke a login shell (su -, the minus is essential) you will first read /etc/login.defs and then /etc/profile.
This will result every time in umask 022 which is the default value if you omit the configuration in /etc/login.defs and /etc/profile at all!
# strace -f su - waldeck
124:6349 open("/lib/security/pam_umask.so", O_RDONLY) = 4
...
201:6349 open("/etc/login.defs", O_RDONLY|O_LARGEFILE) = 3
...
416:6350 open("/etc/profile", O_RDONLY|O_LARGEFILE) = 3
The first number in a row is the line number from grep -n.
I got correponding results from the tracing of login.
Fortunately the UMASK setting in /etc/login.defs does not change an already existing umask setting from pam_umask
BUT the umask invocation in /etc/profile definitely modifies the umask value.
The /etc/profile value DOES NOT affect pam. However, it does come into play with new shells. If you're configuring your system to set umasks via pam, you'll want to remove the umask value from /etc/profile, or something similar. There is no sane way to do something like this globally. Config files are there to be modified if needed. They are solely sane defaults