[Bug 1097262] [NEW] [pam][pam_umask]: Explicitly set the user specific umask at (shell) login to "0022" value
Sedat Dilek
1097262 at bugs.launchpad.net
Tue Jan 8 12:46:47 UTC 2013
Public bug reported:
[ Resending via 'ubuntu-bug libpam-modules' ]
Hi,
when I am working with the Freetz (a small Linux router project based
on buildroot mainly for MIPS arch) build-system I have this
umask/shell problem described in [1].
NOTE-1: I am using the xterm app from the Unitiy dock.
NOTE-2: I am currently working with a self-compiled Linux v3.8-rc2
kernel (if this matters - not sure if Eric Biedermann's namespace
changes result in a different behaviour), but I have seen the issue
also with any Ubuntu-kernels I ran here, so it should be independent).
The umask is "002" when xterm is started.
After hitting the problem so many times when doing for example:
$ cd ~/src/freetz/freetz-git/
$ make dist-clean
So, I wanted to eliminate this problem forever and now!
My first approach was to follow the advices in Ubuntu Bug #379341 (see
[2]), especially the hint to...
$ man pam_umask
...recommends:
EXAMPLES
Add the following line to /etc/pam.d/login to set the user
specific umask at login:
session optional pam_umask.so umask=3D0022
NOTE: pam_umask.so is provided by libpam-modules Ubuntu package (see
[3]).
Unfortunately, something like this did NOT work and had to be
enhanced...
$ git diff /etc/pam.d/login /etc/pam.d/login_UMASK-FIXED_NotOK
diff --git a/etc/pam.d/login b/etc/pam.d/login_UMASK-FIXED_NotOK
index f1e43b2..9886f5e 100644
--- a/etc/pam.d/login
+++ b/etc/pam.d/login_UMASK-FIXED_NotOK
@@ -105,3 +105,16 @@ session optional pam_mail.so standard
session [success=3Dok ignore=3Dignore module_unknown=3Dignore default=3Dba=
d]
pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
+
+# XXX: Workaround: Explicitly set the user specific umask at (shell)
login to "0022" value
+#
+# For more details see:
+# 1. Changelog of commit in Freetz/trunk SVN revision 9427
+# <http://freetz.org/changeset/9427/>
+# 2. [Bug 379341] Re: remove/comment /etc/profile umask setting
+# <https://lists.ubuntu.com/archives/foundations-bugs/2011-December/056446.html>
+#
+# XXX: Unfortunately, this does NOT satisfy the Freetz build-system.
+# XXX: Fixed by adding "umask=3D0022" to the pam_umask.so line in
"/etc/pam.d/common-session".
+# XXX: See includes in "Standard Un*x account and session" section
here in this file.
+#session optional pam_umask.so umask=3D0022
...in combination with this change WorksForMe=E2=84=A2.
$ git diff /etc/pam.d/common-session /etc/pam.d/common-session_UMASK-FIXED_OK
diff --git a/etc/pam.d/common-session b/etc/pam.d/common-session_UMASK-FIXED_OK
index af9fb77..7a6ac1f 100644
--- a/etc/pam.d/common-session
+++ b/etc/pam.d/common-session_UMASK-FIXED_OK
@@ -24,9 +24,9 @@ session required pam_permit.=
so
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions =
etc.
# See "man pam_umask".
-session optional pam_umask.so
+session optional pam_umask.so umask=3D0022
# and here are more per-package modules (the "Additional" block)
-session required pam_unix.so
-session optional pam_systemd.so
+session required pam_unix.so
+session optional pam_systemd.so
session optional pam_ck_connector.so nox11
# end of pam-auth-update config
NOTE-1: common-session is a INCLUDED file, but a dpkg -S /path/to/common-session does NOT refer to any Ubuntu package.
NOTE-2: session items in common-session file are malformed (tabs)!
# LC_ALL=3DC dpkg -S /etc/pam.d/common-session
dpkg-query: no path found matching pattern /etc/pam.d/common-session.
More confusion on dpkg -S:
# LC_ALL=3DC dpkg -S /etc/pam.d/* | sort
dpkg-query: no path found matching pattern /etc/pam.d/common-account.
dpkg-query: no path found matching pattern /etc/pam.d/common-auth.
dpkg-query: no path found matching pattern /etc/pam.d/common-password.
dpkg-query: no path found matching pattern /etc/pam.d/common-session.
dpkg-query: no path found matching pattern
/etc/pam.d/common-session-noninteractive.
dpkg-query: no path found matching pattern
/etc/pam.d/common-session_UMASK-FIXED_OK.
dpkg-query: no path found matching pattern /etc/pam.d/login_UMASK-FIXED_Not-OK.
at: /etc/pam.d/atd
cron: /etc/pam.d/cron
cups: /etc/pam.d/cups
gnome-screensaver: /etc/pam.d/gnome-screensaver
libpam-runtime: /etc/pam.d/other
lightdm: /etc/pam.d/lightdm
lightdm: /etc/pam.d/lightdm-autologin
login: /etc/pam.d/login <--- Here: Shell login + umask-handling???
login: /etc/pam.d/su
openssh-server: /etc/pam.d/sshd <--- Here: SSH login and umask-handling???
passwd: /etc/pam.d/chfn
passwd: /etc/pam.d/chpasswd
passwd: /etc/pam.d/chsh
passwd: /etc/pam.d/newusers
passwd: /etc/pam.d/passwd
policykit-1: /etc/pam.d/polkit-1
ppp: /etc/pam.d/ppp
samba-common: /etc/pam.d/samba
sudo: /etc/pam.d/sudo
I am not sure where exactly to change the umask for shell logins
GLOBALLY and/or USER-DEFINED.
I do NOT want to dig into ssh-login and umask (see above dpkg-S
confusion), check by yourself /etc/pam.d/ || /etc/security/ ||
/etc/init.d/ssh etc.
$ grep -nr -i umask /etc/init.d/ssh
36:umask 022
OK, libpam-modules is an optional package AFAICS, so this above line
makes sense.
But, can you give advices about the umask-handling especially shell and ssh?
Also this pam.d-include-handling is a next bit of a confusing sh*t.
Why not put all those includes in a subdir "include" below /etc/pam.d/.
What's about the order includes VS. own workarounds?
# egrep -nr -E 'pam_umask.so|@include' /etc/pam.d/login_UMASK-FIXED_NotOK
56:@include common-auth
98:@include common-account
99:@include common-session
100:@include common-password
118:# XXX: Fixed by adding "umask=3D0022" to the pam_umask.so line in "/etc/pam.d/common-session".
120:#session optional pam_umask.so umask=3D0022
The EXAMPLE in the man-page of pam_umask has to be fixed?
Or asking the other way round where to put the pam_umask.so line?
Into /etc/pam.d/login or /etc/pam.d/common-session?
What is about this (see [1]) in /etc/login.defs?
This umask-line seems to me never be recognized and should no more
exist due to [1]?
$ egrep -nr '^UMASK|^USERGROUPS_ENAB' /etc/login.defs
151:UMASK 022
225:USERGROUPS_ENAB yes
Quote from [1]:
...
Setting the umask in /etc/profile only works for some shells. It was
introduced into debian as a workaround, when the switch from login to
PAM broke the UMASK setting in /etc/login.defs.
...
Another thingie that I noticed while digging into the umask/shell-login jun=
gle:
$ sudo grep -nr -i umask /etc/security/
/etc/security/namespace.init:18: mask=3D$(awk
'/^UMASK/{gsub("#.*$", "", $2); print $2; exit}' /etc/login.defs)
Shouldn't umask changes not be done in /etc/login.defs?
BTW, is there no possibility foreseen for dpkg-reconfigure
$smart-app-which-changes-umask-for-shell-logins?
I played a bit with pam-auth-update:
$ sudo LC_ALL=3DC dpkg-reconfigure pam-auth-update
Package `pam-auth-update' is not installed and no info is available.
Use dpkg --info (=3D dpkg-deb --info) to examine archive files,
and dpkg --contents (=3D dpkg-deb --contents) to list their contents.
/usr/sbin/dpkg-reconfigure: pam-auth-update is not installed
$ dpkg -S $(which pam-auth-update)
libpam-runtime: /usr/sbin/pam-auth-update
$ dpkg -l | grep libpam-runtime
ii libpam-runtime 1.1.3-7ubuntu2
Runtime support for the PAM library
$ sudo pam-auth-update
Last line lets me change the following settings (did not dig deeper
into which of the items are good for shell/umask):
[*] Unix authentication
[*] Register user sessions in the systemd control group hierarchy
[*] GNOME Keyring Daemon - Login keyring management
[*] ConsoleKit Session Management
[*] Inheritable Capabilities Management
What is in my case the optimal way to fix the umask/shell issue?
Globally and/or user-defined (even last is the better way)?
Can you enlighten me, please?
Kind Regards,
- Sedat -
P.S.: Overfly the sections with the s-words as I am a bit angry about
all this confusing handling.
[1] http://freetz.org/changeset/9427/
[2] https://lists.ubuntu.com/archives/foundations-bugs/2011-December/056446.html
[3] http://packages.ubuntu.com/precise/amd64/libpam-modules/filelist
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: libpam-modules 1.1.3-7ubuntu2
Uname: Linux 3.8.0-rc2-8-iniza-generic x86_64
ApportVersion: 2.0.1-0ubuntu17.1
Architecture: amd64
Date: Tue Jan 8 13:39:50 2013
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Beta amd64 (20120301)
MarkForUpload: True
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
LANG=de_DE.UTF-8
SHELL=/bin/bash
SourcePackage: pam
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: pam (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug precise running-unity
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1097262
Title:
[pam][pam_umask]: Explicitly set the user specific umask at (shell)
login to "0022" value
Status in “pam” package in Ubuntu:
New
Bug description:
[ Resending via 'ubuntu-bug libpam-modules' ]
Hi,
when I am working with the Freetz (a small Linux router project based
on buildroot mainly for MIPS arch) build-system I have this
umask/shell problem described in [1].
NOTE-1: I am using the xterm app from the Unitiy dock.
NOTE-2: I am currently working with a self-compiled Linux v3.8-rc2
kernel (if this matters - not sure if Eric Biedermann's namespace
changes result in a different behaviour), but I have seen the issue
also with any Ubuntu-kernels I ran here, so it should be independent).
The umask is "002" when xterm is started.
After hitting the problem so many times when doing for example:
$ cd ~/src/freetz/freetz-git/
$ make dist-clean
So, I wanted to eliminate this problem forever and now!
My first approach was to follow the advices in Ubuntu Bug #379341 (see
[2]), especially the hint to...
$ man pam_umask
...recommends:
EXAMPLES
Add the following line to /etc/pam.d/login to set the user
specific umask at login:
session optional pam_umask.so umask=3D0022
NOTE: pam_umask.so is provided by libpam-modules Ubuntu package (see
[3]).
Unfortunately, something like this did NOT work and had to be
enhanced...
$ git diff /etc/pam.d/login /etc/pam.d/login_UMASK-FIXED_NotOK
diff --git a/etc/pam.d/login b/etc/pam.d/login_UMASK-FIXED_NotOK
index f1e43b2..9886f5e 100644
--- a/etc/pam.d/login
+++ b/etc/pam.d/login_UMASK-FIXED_NotOK
@@ -105,3 +105,16 @@ session optional pam_mail.so standard
session [success=3Dok ignore=3Dignore module_unknown=3Dignore default=3Dba=
d]
pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
+
+# XXX: Workaround: Explicitly set the user specific umask at (shell)
login to "0022" value
+#
+# For more details see:
+# 1. Changelog of commit in Freetz/trunk SVN revision 9427
+# <http://freetz.org/changeset/9427/>
+# 2. [Bug 379341] Re: remove/comment /etc/profile umask setting
+# <https://lists.ubuntu.com/archives/foundations-bugs/2011-December/056446.html>
+#
+# XXX: Unfortunately, this does NOT satisfy the Freetz build-system.
+# XXX: Fixed by adding "umask=3D0022" to the pam_umask.so line in
"/etc/pam.d/common-session".
+# XXX: See includes in "Standard Un*x account and session" section
here in this file.
+#session optional pam_umask.so umask=3D0022
...in combination with this change WorksForMe=E2=84=A2.
$ git diff /etc/pam.d/common-session /etc/pam.d/common-session_UMASK-FIXED_OK
diff --git a/etc/pam.d/common-session b/etc/pam.d/common-session_UMASK-FIXED_OK
index af9fb77..7a6ac1f 100644
--- a/etc/pam.d/common-session
+++ b/etc/pam.d/common-session_UMASK-FIXED_OK
@@ -24,9 +24,9 @@ session required pam_permit.=
so
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions =
etc.
# See "man pam_umask".
-session optional pam_umask.so
+session optional pam_umask.so umask=3D0022
# and here are more per-package modules (the "Additional" block)
-session required pam_unix.so
-session optional pam_systemd.so
+session required pam_unix.so
+session optional pam_systemd.so
session optional pam_ck_connector.so nox11
# end of pam-auth-update config
NOTE-1: common-session is a INCLUDED file, but a dpkg -S /path/to/common-session does NOT refer to any Ubuntu package.
NOTE-2: session items in common-session file are malformed (tabs)!
# LC_ALL=3DC dpkg -S /etc/pam.d/common-session
dpkg-query: no path found matching pattern /etc/pam.d/common-session.
More confusion on dpkg -S:
# LC_ALL=3DC dpkg -S /etc/pam.d/* | sort
dpkg-query: no path found matching pattern /etc/pam.d/common-account.
dpkg-query: no path found matching pattern /etc/pam.d/common-auth.
dpkg-query: no path found matching pattern /etc/pam.d/common-password.
dpkg-query: no path found matching pattern /etc/pam.d/common-session.
dpkg-query: no path found matching pattern
/etc/pam.d/common-session-noninteractive.
dpkg-query: no path found matching pattern
/etc/pam.d/common-session_UMASK-FIXED_OK.
dpkg-query: no path found matching pattern /etc/pam.d/login_UMASK-FIXED_Not-OK.
at: /etc/pam.d/atd
cron: /etc/pam.d/cron
cups: /etc/pam.d/cups
gnome-screensaver: /etc/pam.d/gnome-screensaver
libpam-runtime: /etc/pam.d/other
lightdm: /etc/pam.d/lightdm
lightdm: /etc/pam.d/lightdm-autologin
login: /etc/pam.d/login <--- Here: Shell login + umask-handling???
login: /etc/pam.d/su
openssh-server: /etc/pam.d/sshd <--- Here: SSH login and umask-handling???
passwd: /etc/pam.d/chfn
passwd: /etc/pam.d/chpasswd
passwd: /etc/pam.d/chsh
passwd: /etc/pam.d/newusers
passwd: /etc/pam.d/passwd
policykit-1: /etc/pam.d/polkit-1
ppp: /etc/pam.d/ppp
samba-common: /etc/pam.d/samba
sudo: /etc/pam.d/sudo
I am not sure where exactly to change the umask for shell logins
GLOBALLY and/or USER-DEFINED.
I do NOT want to dig into ssh-login and umask (see above dpkg-S
confusion), check by yourself /etc/pam.d/ || /etc/security/ ||
/etc/init.d/ssh etc.
$ grep -nr -i umask /etc/init.d/ssh
36:umask 022
OK, libpam-modules is an optional package AFAICS, so this above line
makes sense.
But, can you give advices about the umask-handling especially shell and ssh?
Also this pam.d-include-handling is a next bit of a confusing sh*t.
Why not put all those includes in a subdir "include" below /etc/pam.d/.
What's about the order includes VS. own workarounds?
# egrep -nr -E 'pam_umask.so|@include' /etc/pam.d/login_UMASK-FIXED_NotOK
56:@include common-auth
98:@include common-account
99:@include common-session
100:@include common-password
118:# XXX: Fixed by adding "umask=3D0022" to the pam_umask.so line in "/etc/pam.d/common-session".
120:#session optional pam_umask.so umask=3D0022
The EXAMPLE in the man-page of pam_umask has to be fixed?
Or asking the other way round where to put the pam_umask.so line?
Into /etc/pam.d/login or /etc/pam.d/common-session?
What is about this (see [1]) in /etc/login.defs?
This umask-line seems to me never be recognized and should no more
exist due to [1]?
$ egrep -nr '^UMASK|^USERGROUPS_ENAB' /etc/login.defs
151:UMASK 022
225:USERGROUPS_ENAB yes
Quote from [1]:
...
Setting the umask in /etc/profile only works for some shells. It was
introduced into debian as a workaround, when the switch from login to
PAM broke the UMASK setting in /etc/login.defs.
...
Another thingie that I noticed while digging into the umask/shell-login jun=
gle:
$ sudo grep -nr -i umask /etc/security/
/etc/security/namespace.init:18: mask=3D$(awk
'/^UMASK/{gsub("#.*$", "", $2); print $2; exit}' /etc/login.defs)
Shouldn't umask changes not be done in /etc/login.defs?
BTW, is there no possibility foreseen for dpkg-reconfigure
$smart-app-which-changes-umask-for-shell-logins?
I played a bit with pam-auth-update:
$ sudo LC_ALL=3DC dpkg-reconfigure pam-auth-update
Package `pam-auth-update' is not installed and no info is available.
Use dpkg --info (=3D dpkg-deb --info) to examine archive files,
and dpkg --contents (=3D dpkg-deb --contents) to list their contents.
/usr/sbin/dpkg-reconfigure: pam-auth-update is not installed
$ dpkg -S $(which pam-auth-update)
libpam-runtime: /usr/sbin/pam-auth-update
$ dpkg -l | grep libpam-runtime
ii libpam-runtime 1.1.3-7ubuntu2
Runtime support for the PAM library
$ sudo pam-auth-update
Last line lets me change the following settings (did not dig deeper
into which of the items are good for shell/umask):
[*] Unix authentication
[*] Register user sessions in the systemd control group hierarchy
[*] GNOME Keyring Daemon - Login keyring management
[*] ConsoleKit Session Management
[*] Inheritable Capabilities Management
What is in my case the optimal way to fix the umask/shell issue?
Globally and/or user-defined (even last is the better way)?
Can you enlighten me, please?
Kind Regards,
- Sedat -
P.S.: Overfly the sections with the s-words as I am a bit angry about
all this confusing handling.
[1] http://freetz.org/changeset/9427/
[2] https://lists.ubuntu.com/archives/foundations-bugs/2011-December/056446.html
[3] http://packages.ubuntu.com/precise/amd64/libpam-modules/filelist
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: libpam-modules 1.1.3-7ubuntu2
Uname: Linux 3.8.0-rc2-8-iniza-generic x86_64
ApportVersion: 2.0.1-0ubuntu17.1
Architecture: amd64
Date: Tue Jan 8 13:39:50 2013
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Beta amd64 (20120301)
MarkForUpload: True
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
LANG=de_DE.UTF-8
SHELL=/bin/bash
SourcePackage: pam
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1097262/+subscriptions
More information about the foundations-bugs
mailing list