Debian Bug report logs - #581984
libpam-modules: pam_umask only uses UPG-appropriate umask if uid==gid

version graph

Package: libpam-modules; Maintainer for libpam-modules is Steve Langasek <vorlon@debian.org>; Source for libpam-modules is src:pam.

Reported by: Marvin Renich <mrvn@renich.org>

Date: Mon, 17 May 2010 14:03:01 UTC

Severity: normal

Found in version pam/1.1.1-3

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#581984; Package libpam-modules. (Mon, 17 May 2010 14:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Marvin Renich <mrvn@renich.org>:
New Bug report received and forwarded. Copy sent to Steve Langasek <vorlon@debian.org>. (Mon, 17 May 2010 14:03:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Marvin Renich <mrvn@renich.org>
To: submit@bugs.debian.org
Subject: libpam-modules: pam_umask only uses UPG-appropriate umask if uid==gid
Date: Mon, 17 May 2010 10:00:52 -0400
Package: libpam-modules
Version: 1.1.1-3
Severity: normal

If usergroups is passed as an option, pam_umask compares numeric uid
with numeric gid as an initial test to determine whether the umask group
bits should be set to match the umask user bits.  When User Private
Groups are being used, there is no guarantee that uid==gid, and in fact
it is often the case that uid!=gid, so this test should be removed.

See http://lists.debian.org/debian-devel/2010/05/msg00463.html and other
messages in that thread for discussion of this.

...Marvin





Reply sent to Steve Langasek <vorlon@debian.org>:
You have taken responsibility. (Wed, 19 May 2010 23:51:08 GMT) Full text and rfc822 format available.

Notification sent to Marvin Renich <mrvn@renich.org>:
Bug acknowledged by developer. (Wed, 19 May 2010 23:51:08 GMT) Full text and rfc822 format available.

Message #10 received at 581984-done@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Marvin Renich <mrvn@renich.org>, 581984-done@bugs.debian.org
Subject: Re: Bug#581984: libpam-modules: pam_umask only uses UPG-appropriate umask if uid==gid
Date: Wed, 19 May 2010 16:47:40 -0700
[Message part 1 (text/plain, inline)]
Hi Marvin,

On Mon, May 17, 2010 at 10:00:52AM -0400, Marvin Renich wrote:
> Package: libpam-modules
> Version: 1.1.1-3
> Severity: normal

> If usergroups is passed as an option, pam_umask compares numeric uid
> with numeric gid as an initial test to determine whether the umask group
> bits should be set to match the umask user bits.  When User Private
> Groups are being used, there is no guarantee that uid==gid, and in fact
> it is often the case that uid!=gid, so this test should be removed.

> See http://lists.debian.org/debian-devel/2010/05/msg00463.html and other
> messages in that thread for discussion of this.

I don't think this is a point on which we should diverge from the upstream
behavior; this is obviously a security-sensitive option, and if upstream
believes the current behavior is the correct one, I don't want admins
familiar with other distributions to be unpleasantly surprised that using
this option on Debian results in a more relaxed umask than they expected.

I'm therefore closing this bug as "wontfix", but you are welcome to report
this upstream at
<https://sourceforge.net/tracker/?group_id=6663&atid=106663>.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org
[signature.asc (application/pgp-signature, inline)]

Did not alter fixed versions and reopened. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 20 May 2010 12:21:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#581984; Package libpam-modules. (Thu, 20 May 2010 12:24:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastien ROUCARIES <roucaries.bastien@gmail.com>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Thu, 20 May 2010 12:24:02 GMT) Full text and rfc822 format available.

Message #17 received at 581984@bugs.debian.org (full text, mbox):

From: Bastien ROUCARIES <roucaries.bastien@gmail.com>
To: 581984@bugs.debian.org
Subject: UPG and the default umask
Date: Thu, 20 May 2010 14:22:51 +0200
reopen 315089
thanks

On Mon, May 17, 2010 at 11:05 PM, Marvin Renich <mrvn@renich.org> wrote:
> * Aaron Toponce <aaron.toponce@gmail.com> [100517 13:05]:
>> On 05/17/2010 10:49 AM, Harald Braumann wrote:
>> > from pam_umask's description of the usergroups option:
>> >
>> > If the user is not root, and the user ID is equal to the group ID, *and*
>> > the username is the same as primary group name, the umask group bits
>> > are set to be the same as owner bits (examples: 022 -> 002, 077 ->
>> > 007).
>> >
>> > So if there is a mismatch of *either*, name or ID, then pam_umasks
>> > detects a non-UPG system, while it might very well be all UPG.
>>
>> A bug in pam_umask.so that needs to be addressed (which I believe we've
>> already started addressing in this thread).
>
> Bug #581984.

Closed by maintener and reopened, if we use libpam for umask it could
be even raised to RC critical, so please correct this behavior, report
upstream. I agree that it could be misleading for other distro in this
case, please add a newoption like useupg.

Thanks

Bastien




Bug closed, send any further explanations to Marvin Renich <mrvn@renich.org> Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Thu, 20 May 2010 16:39:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#581984; Package libpam-modules. (Tue, 25 May 2010 21:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Tue, 25 May 2010 21:39:03 GMT) Full text and rfc822 format available.

Message #24 received at 581984@bugs.debian.org (full text, mbox):

From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>
To: 581984@bugs.debian.org
Subject: isn't it adduser?
Date: Tue, 25 May 2010 23:36:34 +0200
Hm, I'd say rather fix adduser to ensure GUI==UID.

Debian policy states: "Packages other than base-passwd must not
modify /etc/passwd, /etc/shadow, /etc/group
or /etc/gshadow." (http://www.debian.org/doc/debian-policy/ch-opersys.html#s9.2)

So fixing adduser or useradd? should be sufficient, can you move this
issue accordingly?




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 23 Jun 2010 07:38:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 12:58:19 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.