Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#66068 - [pambase] Use pam_umask.so?

Attached to Project: Arch Linux
Opened by Marcos Mello (marcosfrm) - Wednesday, 01 April 2020, 19:56 GMT
Last edited by David Runge (dvzrv) - Wednesday, 18 November 2020, 09:45 GMT
Task Type Feature Request
Category Packages: Core
Status Assigned
Assigned To David Runge (dvzrv)
Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Would this approach benefit Arch?

https://bugzilla.redhat.com/show_bug.cgi?id=1807957

If I get things correctly:

- Add "session optional pam_umask.so" to PAM stack (system-login)
- Synchronize /etc/login.defs with upstream shadow: set UMASK to 022 and new option (since 4.8.1) HOME_MODE to 0700.
- Drop umask call from /etc/profile (filesystem package)

This way umask configuration is centralized in /etc/login.defs.
This task depends upon

Comment by Marcos Mello (marcosfrm) - Thursday, 02 April 2020, 11:41 GMT
Did a quick test and it works fine here: /etc/login.defs' UMASK is now respected.

The key feature to make it work is the new /etc/login.defs' HOME_MODE option.
Comment by Marcos Mello (marcosfrm) - Sunday, 05 April 2020, 09:57 GMT Comment by marc boocha (marcthe12) - Sunday, 06 June 2021, 03:15 GMT
Systemd has fixed this. I have tested this myself on my pc for sometime and it works.
Comment by loqs (loqs) - Sunday, 06 June 2021, 05:18 GMT
There is some overlap with FS#69933 perhaps the changes should be reviewed together by the same developers?

Currently umask is set 077 in /etc/login.defs, that will be replaced by 022 for anything that has sourced /etc/profile.
Does anything apart from useradd and newusers use the 077 umask?
Why is HOME_MODE commented in upstream's /etc/login.defs?
Comment by marc boocha (marcthe12) - Sunday, 06 June 2021, 05:38 GMT
HOME_MODE defaults to UMASK if unset, so unless we want it different there it can be commented.
Comment by loqs (loqs) - Sunday, 06 June 2021, 06:00 GMT
@marcthe12 what values are you testing with for HOME_MODE and UMASK?
I thought the proposal was:
UMASK 022 which is what upstream uses
HOME_MODE 0700 which is what upstream uses although it has it commented out.
If UMASK is 022 and HOME_MODE is not set so 022 is used, would that create home directories with 0755 permissions?

Edit:
logins that do not use pam such as telnet from inetutils would no longer have umask set?

How do the pri (priority) and ulimit (fsize) which may set by pam_umask from a users gecos field interact with the values set by pam_limits?
Edit2:
Attached diffs of what I understand the proposed changes to be. There is a separate version of the patch for shadow in FS#69933 that applies on top of those changes.
Comment by Antonio Rojas (arojas) - Tuesday, 28 December 2021, 11:47 GMT

Loading...