Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#66068 - [pambase] Use

Attached to Project: Arch Linux
Opened by Marcos Mello (marcosfrm) - Wednesday, 01 April 2020, 19:56 GMT
Last edited by David Runge (dvzrv) - Wednesday, 18 November 2020, 09:45 GMT
Task Type Feature Request
Category Packages: Core
Status Assigned
Assigned To David Runge (dvzrv)
Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No


Would this approach benefit Arch?

If I get things correctly:

- Add "session optional" to PAM stack (system-login)
- Synchronize /etc/login.defs with upstream shadow: set UMASK to 022 and new option (since 4.8.1) HOME_MODE to 0700.
- Drop umask call from /etc/profile (filesystem package)

This way umask configuration is centralized in /etc/login.defs.
This task depends upon

Comment by Marcos Mello (marcosfrm) - Thursday, 02 April 2020, 11:41 GMT
Did a quick test and it works fine here: /etc/login.defs' UMASK is now respected.

The key feature to make it work is the new /etc/login.defs' HOME_MODE option.
Comment by Marcos Mello (marcosfrm) - Sunday, 05 April 2020, 09:57 GMT Comment by marc boocha (marcthe12) - Sunday, 06 June 2021, 03:15 GMT
Systemd has fixed this. I have tested this myself on my pc for sometime and it works.
Comment by loqs (loqs) - Sunday, 06 June 2021, 05:18 GMT
There is some overlap with FS#69933 perhaps the changes should be reviewed together by the same developers?

Currently umask is set 077 in /etc/login.defs, that will be replaced by 022 for anything that has sourced /etc/profile.
Does anything apart from useradd and newusers use the 077 umask?
Why is HOME_MODE commented in upstream's /etc/login.defs?
Comment by marc boocha (marcthe12) - Sunday, 06 June 2021, 05:38 GMT
HOME_MODE defaults to UMASK if unset, so unless we want it different there it can be commented.
Comment by loqs (loqs) - Sunday, 06 June 2021, 06:00 GMT
@marcthe12 what values are you testing with for HOME_MODE and UMASK?
I thought the proposal was:
UMASK 022 which is what upstream uses
HOME_MODE 0700 which is what upstream uses although it has it commented out.
If UMASK is 022 and HOME_MODE is not set so 022 is used, would that create home directories with 0755 permissions?

logins that do not use pam such as telnet from inetutils would no longer have umask set?

How do the pri (priority) and ulimit (fsize) which may set by pam_umask from a users gecos field interact with the values set by pam_limits?
Attached diffs of what I understand the proposed changes to be. There is a separate version of the patch for shadow in FS#69933 that applies on top of those changes.
Comment by Antonio Rojas (arojas) - Tuesday, 28 December 2021, 11:47 GMT