Debian Bug report logs - #646692
pam_umask: umask in /etc/login.defs not respected cause libpam_umask is not configured

version graph

Package: libpam-modules; Maintainer for libpam-modules is Sam Hartman <hartmans@debian.org>; Source for libpam-modules is src:pam (PTS, buildd, popcon).

Reported by: Martin Steigerwald <ms@teamix.de>

Date: Wed, 26 Oct 2011 09:36:32 UTC

Severity: normal

Tags: patch, upstream

Merged with 583958

Found in version pam/1.1.3-4

Blocking fix for 711104: login: su - doesn't set umask

Forwarded to https://github.com/linux-pam/linux-pam/pull/97

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, martin@lichtvoll.de, Steve Langasek <vorlon@debian.org>:
Bug#646692; Package libpam-modules. (Wed, 26 Oct 2011 09:36:50 GMT) (full text, mbox, link).

Acknowledgement sent to Martin Steigerwald <ms@teamix.de>:
New Bug report received and forwarded. Copy sent to martin@lichtvoll.de, Steve Langasek <vorlon@debian.org>. (Wed, 26 Oct 2011 09:36:52 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin Steigerwald <ms@teamix.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pam_umask: umask in /etc/login.defs not respected cause libpam_umask is not configured
Date: Wed, 26 Oct 2011 11:31:16 +0200
Package: libpam-modules
Version: 1.1.3-4
Severity: normal

During holding a training about Linux basics, chapters users &
permissions, I revisited the issue on how to set the umask on
Debian.

I knew it should be set via pam_umask. I did it this way to
set umask 002 for our Linux workstations.

Today I grepped for other locations and found:

root@vm6601a:/etc# grep umask *
login.defs:#    UMASK           Default "umask" value.
login.defs:# UMASK is the default umask value for pam_umask and is used by
login.defs:# Other former uses of this variable such as setting the umask when
ltrace.conf:octal umask(octal);
ltrace.conf:octal SYS_umask(octal);
profile:# The default umask is now handled by pam_umask.
profile:# See pam_umask(8) and /etc/login.defs.

Then I went the way recommended by the comments in profile.

But it doesn´t work, the setting for UMASK is not respected for
logins on tty as well as via SSH or KDM:

root@vm6601a:~# grep "^UMASK" /etc/login.defs 
UMASK           002
root@vm6601a:~# umask
0022

(That is after a reboot of the virtual machine.)


On SLES 11 setting umask in /etc/login.defs has the desired effect.

I bet this is due to

vm6601b:/etc/pam.d # grep umask *
common-session:session  optional        pam_umask.so
common-session.pam-config-backup:session optional       pam_umask.so
common-session-pc:session       optional        pam_umask.so

for SLES 11 versus

root@vm6601a:/etc/pam.d# grep -i umask *
root@vm6601a:/etc/pam.d#

for Debian Squeeze or

merkaba:/etc/pam.d> grep -i umask *
merkaba:/etc/pam.d#1>

for the Debian Sid laptop I am reporting this from.


Expected results:

Setting umask in /etc/login.defs works as advertised in /etc/profile.


Actual results:

Setting umask there has no effect.


Related bugs:

Personal groups should result in umask 002 by default
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643560


Possible work-around for Squeeze:

For Squeeze add a hint to /etc/profile that pam_umask needs to
be configured first. I would prefer pam_umask configuration
to be added tough.

Thanks,
Martin Steigerwald

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (120, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libpam-modules depends on:
ii  debconf [debconf-2.0]  1.5.41   
ii  libc6                  2.13-21  
ii  libdb5.1               5.1.25-11
ii  libpam-modules-bin     1.1.3-4  
ii  libpam0g               1.1.3-4  
ii  libselinux1            2.1.0-1  

libpam-modules recommends no packages.

libpam-modules suggests no packages.

-- debconf information:
  libpam-modules/disable-screensaver:

Forcibly Merged 583958 646692. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Thu, 27 Oct 2011 20:30:03 GMT) (full text, mbox, link).

Added tag(s) patch. Request was from "C. Gatzemeier" <c.gatzemeier@tu-bs.de> to control@bugs.debian.org. (Wed, 07 Nov 2012 19:21:06 GMT) (full text, mbox, link).

Removed tag(s) upstream. Request was from "C. Gatzemeier" <c.gatzemeier@tu-bs.de> to control@bugs.debian.org. (Tue, 23 Apr 2013 09:15:07 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Tue, 23 Apr 2013 14:21:07 GMT) (full text, mbox, link).

Added indication that bug 646692 blocks 711104 Request was from Andreas Henriksson <andreas@fatal.se> to 711104-submit@bugs.debian.org. (Mon, 13 Aug 2018 19:54:03 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://github.com/linux-pam/linux-pam/pull/97'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Tue, 12 Feb 2019 08:06:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#646692; Package libpam-modules. (Wed, 10 Jun 2020 12:27:05 GMT) (full text, mbox, link).

Acknowledgement sent to Martin Steigerwald <Martin.Steigerwald@proact.de>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Wed, 10 Jun 2020 12:27:05 GMT) (full text, mbox, link).

Message #22 received at 646692@bugs.debian.org (full text, mbox, reply):

From: Martin Steigerwald <Martin.Steigerwald@proact.de>
To: "646692@bugs.debian.org" <646692@bugs.debian.org>
Subject: Re: pam_umask: umask in /etc/login.defs not respected cause libpam_umask is not configured
Date: Wed, 10 Jun 2020 12:24:22 +0000
[Message part 1 (text/plain, inline)]
Dear Steve, dear Andreas, dear Debian contributors,

Revisiting this topic for my trainings I see that this is not yet fixed.

*However* there is a merge request available in Salsa:

enable usergroups and add pam_umask in common-session(-noninteractive)

https://salsa.debian.org/vorlon/pam/-/merge_requests/3

Any chance you could merge it in time for Bullseye?

For now I will document that one still has to enable pam_umask manually.
Also pam-auth-update does not offer to enable it so I manually added

session optional   pam_umask.so

after end of 'pam-auth-update' maintained block in /etc/pam.d/common-
session.

After this PAM sets the umask according to the UMASK setting in
'/etc/login.defs'.

(Sorry for long signature and probably added HTML part, I can't
influence this for my work mail account.)

Best,

Mit freundlichen Grüßen / With kind regards
Martin Steigerwald •
Proact Deutschland GmbH
Trainer
Telefon: +49 911 30999 0 •
Fax: +49 911 30999 99
Südwestpark 43 •
90449 Nürnberg •
Germany
Martin.Steigerwald@proact.de •
www.proact.de
Amtsgericht Nürnberg
 •
HRB 18320
Geschäftsführer:
René Schülein
 •
Jonas Hasselberg
 •
Jonas Persson
•
Oliver Kügow
– Delivering Business Agility –

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Jan 11 07:26:21 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.