Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#15934 - [pam] inconsistent umask configuration

Attached to Project: Arch Linux
Opened by Dr. Markus Waldeck (waldeck) - Friday, 14 August 2009, 15:32 GMT
Last edited by Tobias Powalowski (tpowa) - Wednesday, 09 September 2009, 06:34 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Tobias Powalowski (tpowa)
Aaron Griffin (phrakture)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

I tried to configure pam_umask and it did not work.
The problem is caused by following default configurations:

/etc/login.defs
UMASK 077

and

/etc/login.defs
umask 022

If both lines are commented the default value 0022 is used
and it is possible to use pam_umask.

Additional info:
filesystem 2009.07-1 (/etc/profile)
shadow 4.1.4.2-1 (/etc/login.defs)

Steps to reproduce:
Comment the mentioned lines and configure pam_umask as described in the man page:

Add the following line to /etc/pam.d/login to set the user specific umask at login:

session optional pam_umask.so umask=0027
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Wednesday, 09 September 2009, 06:34 GMT
Reason for closing:  Not a bug
Comment by Aaron Griffin (phrakture) - Monday, 17 August 2009, 20:36 GMT
My login.defs is untouched and only contains the UMASK 077 line. Perhaps you mean /etc/profile for the second one?

The /etc/profile setting should not affect pam.

The one in login.defs should be the default, and is there for default home directory permissions and non-shell based things. 022 is later set in the shell by /etc/profile as it's a little more friendly to multi-user machines.

I am not really sure what the issue here is. If you're changing your system configuration, it's expected to change config files.... this would be part of that. If there is a bug in pam, please report it upstream.

"Does not work" is a terrible bug description. Can you please attempt to explain in more detail?
Comment by Dr. Markus Waldeck (waldeck) - Tuesday, 18 August 2009, 08:15 GMT
> Perhaps you mean /etc/profile for the second one?

Correct! (Sorry, cut and waste)

> The /etc/profile setting should not affect pam.

But it does!

The setting in the /etc/profile overwrites the setting which is done by pam_umask because of the fact that the shell is executed after PAM.

Test Case 1:
I added following line at the end of /etc/pam.d/login and /etc/pam.d/su
session optional pam_umask.so

and modified /etc/passwd (umask=0077) in the GECOS field
USER:x:UID:GID:umask=0077:HOME:SHELL

If I login in with the default configuration in /etc/profile (umask 022):
$ umask
0022

Test Case 2:
Modify /etc/pam.d/login and /etc/passwd as mentioned above, comment the relevant line in /etc/profile and login in:
$ umask
0077

> I am not really sure what the issue here is.

I see. If you login or invoke a login shell (su -, the minus is essential) you will first read /etc/login.defs and then /etc/profile.
This will result every time in umask 022 which is the default value if you omit the configuration in /etc/login.defs and /etc/profile at all!

# strace -f su - waldeck
124:6349 open("/lib/security/pam_umask.so", O_RDONLY) = 4
...
201:6349 open("/etc/login.defs", O_RDONLY|O_LARGEFILE) = 3
...
416:6350 open("/etc/profile", O_RDONLY|O_LARGEFILE) = 3

The first number in a row is the line number from grep -n.
I got correponding results from the tracing of login.

Fortunately the UMASK setting in /etc/login.defs does not change an already existing umask setting from pam_umask
BUT the umask invocation in /etc/profile definitely modifies the umask value.
Comment by Dr. Markus Waldeck (waldeck) - Tuesday, 18 August 2009, 08:28 GMT
I don't know why the commect was added a second time :-(.
Comment by Aaron Griffin (phrakture) - Tuesday, 18 August 2009, 17:35 GMT
No no, you're missing what I'm saying.

The /etc/profile value DOES NOT affect pam. However, it does come into play with new shells. If you're configuring your system to set umasks via pam, you'll want to remove the umask value from /etc/profile, or something similar. There is no sane way to do something like this globally. Config files are there to be modified if needed. They are solely sane defaults
Comment by Tobias Powalowski (tpowa) - Sunday, 06 September 2009, 16:16 GMT
Aaron so i can close this?
Comment by Aaron Griffin (phrakture) - Tuesday, 08 September 2009, 22:43 GMT
Aye, close as Not A Bug. Global shell configuration should be left to the system administrator, and does not affect pam, only the shell launched at login.

Loading...