[Bug 1957024] Re: pam-mkhomedir does not honor private home directories

Ponnuvel Palaniyappan 1957024 at bugs.launchpad.net
Sun Dec 1 09:24:04 UTC 2024 

SRU verification for Jammy.


## Current pam package shows permission 0755 for home dir

root at pon-jammy:~# dpkg -l | grep pam
ii  libpam-cap:amd64                1:2.44-1ubuntu0.22.04.1                 amd64        POSIX 1003.1e capabilities (PAM module)
ii  libpam-modules:amd64            1.4.0-11ubuntu2.4                       amd64        Pluggable Authentication Modules for PAM
ii  libpam-modules-bin              1.4.0-11ubuntu2.4                       amd64        Pluggable Authentication Modules for PAM - helper binaries
ii  libpam-runtime                  1.4.0-11ubuntu2.4                       all          Runtime support for the PAM library
ii  libpam-systemd:amd64            249.11-0ubuntu3.12                      amd64        system and service manager - PAM module
ii  libpam0g:amd64                  1.4.0-11ubuntu2.4                       amd64        Pluggable Authentication Modules library
root at pon-jammy:~# pam-auth-update --enable mkhomedir
root at pon-jammy:~# echo $?
0
root at pon-jammy:~# useradd --no-create-home homemadebymkhomedir_curpkg
root at pon-jammy:~# ls -ld /home/
drwxr-xr-x 3 root root 3 Dec  1 08:18 /home/
root at pon-jammy:~# ls -l /home/
total 1
drwxr-x--- 3 ubuntu ubuntu 6 Dec  1 08:18 ubuntu
root at pon-jammy:~# su - homemadebymkhomedir_curpkg -c exit
root at pon-jammy:~# ls -l /home/
total 1
drwxr-xr-x 2 homemadebymkhomedir_curpkg homemadebymkhomedir_curpkg 5 Dec  1 09:12 homemadebymkhomedir_curpkg
drwxr-x--- 3 ubuntu                     ubuntu                     6 Dec  1 08:18 ubuntu
root at pon-jammy:~# 


## Install from -proposed

root at pon-jammy:~# dpkg -l | grep pam
ii  libpam-cap:amd64                1:2.44-1ubuntu0.22.04.1                 amd64        POSIX 1003.1e capabilities (PAM module)
ii  libpam-modules:amd64            1.4.0-11ubuntu2.5                       amd64        Pluggable Authentication Modules for PAM
ii  libpam-modules-bin              1.4.0-11ubuntu2.5                       amd64        Pluggable Authentication Modules for PAM - helper binaries
ii  libpam-runtime                  1.4.0-11ubuntu2.5                       all          Runtime support for the PAM library
ii  libpam-systemd:amd64            249.11-0ubuntu3.13                      amd64        system and service manager - PAM module
ii  libpam0g:amd64                  1.4.0-11ubuntu2.5                       amd64        Pluggable Authentication Modules library


root at pon-jammy:~# useradd --no-create-home homemadebymkhomedir_newpkg
root at pon-jammy:~# ls -l /home
total 1
drwxr-xr-x 2 homemadebymkhomedir_curpkg homemadebymkhomedir_curpkg 5 Dec  1 09:12 homemadebymkhomedir_curpkg
drwxr-x--- 3 ubuntu                     ubuntu                     6 Dec  1 08:18 ubuntu
root at pon-jammy:~# su - homemadebymkhomedir_newpkg -c exit
root at pon-jammy:~# ls -l /home/
total 2
drwxr-xr-x 2 homemadebymkhomedir_curpkg homemadebymkhomedir_curpkg 5 Dec  1 09:12 homemadebymkhomedir_curpkg
drwxr-x--- 2 homemadebymkhomedir_newpkg homemadebymkhomedir_newpkg 5 Dec  1 09:22 homemadebymkhomedir_newpkg
drwxr-x--- 3 ubuntu                     ubuntu                     6 Dec  1 08:18 ubuntu
root at pon-jammy:~# 

New packages created after install pam from -proposed, the permission of
home dir is 0750.

** Tags removed: verification-needed-jammy
** Tags added: verification-done-jammy

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1957024

Title:
  pam-mkhomedir does not honor private home directories

Status in pam package in Ubuntu:
  Fix Released
Status in pam source package in Focal:
  In Progress
Status in pam source package in Jammy:
  Fix Committed
Status in pam source package in Noble:
  Fix Released
Status in pam source package in Oracular:
  Fix Released
Status in pam source package in Plucky:
  Fix Released

Bug description:
  [Impact]

  A common situation is to have a central set of users (e.g. in LDAP)
  and use pam_mkhomedir.so to create the home directory when the user
  first logs in.

  These changes do not cover this situation. The default configuration
  of pam_mkhomedir.so will result in a home directory created with 0755
  permissions.

  To make pam_mkhomedir.so create a home directory by default with
  permissions consistent with the other tools then a umask argument can
  be added to the pam_mkhomedir.so module in the file /usr/share/pam-
  configs/mkhomedir. I believe this would have to be done before
  enabling the module. The file is part of the libpam-modules package.

  [Test plan]

  1. Test with current defaults and confirm the permission is 0755 for home directory.
  # enable pam_mkhomedir.so configuration
  pam-auth-update --enable mkhomedir
  # create a user with adduser that creates the home directory
  adduser --disabled-password --gecos adduser homemadebyadduser
  # create a user with useradd that creates the home directory
  useradd --create-home homemadebyuseradd
  # create a user with useradd that does *not* create the home directory so that pam_mkhomedir.so can create it
  useradd --no-create-home homemadebymkhomedir
  # trigger pam_mkhomedir.so to create the home directory
  su - homemadebymkhomedir -c exit
  # verify the permissions are 0755 for the one created by pam and 0750 for the one by adduser'
  root at ubuntu:~# ls -al /home

  2. Install the package with the fix
  # enable mkhomedir again
  pam-auth-update --enable mkhomedir
  # create a user with useradd that does *not* create the home directory so that pam_mkhomedir.so can create it
  useradd --no-create-home homemadebymkhomedirpatch
  # trigger pam_mkhomedir.so to create the home directory
  su - homemadebymkhomedirpatch -c exit
  # verify that the home dir created by pam has 0750 as well

  [ Where problems could occur ]

  This could result in inconsistent permissions between existing home directories created by pam (before the fix) and the ones created with this fix. While there's no reason to believe it could result in any actual issues, this can
  be mitigated by changing the existing home directories to have 0750 for consistency.

  Anyone in the 'others' group will lose access to the home directories of the
  rest of the users whose $HOME was created by pam. That behaviour should be
  treated as unexpected as that's how $HOME adduser will behave. In general,
  one's not expected to have access to $HOME of others.

  In the absolute pathological cases, where it's desired to give to $HOME to
  everyone, the permissions can be adjusted manually and the umask can be changed
  in the conf file on those systems. But this should be treated as 'workaround' and non-standard behaviour.

  [other info]

  This has been at https://discourse.ubuntu.com/t/private-home-
  directories-for-ubuntu-21-04-onwards/19533/13:

  And agreed that (1) having $HOME consistent across tools is the right
  behaviour and (2) 0750 is the desired permission for $HOME.

  This has been merged into Plucky already:
  https://git.launchpad.net/ubuntu/+source/pam/commit/?id=c576b5c19abb383ce53dfc10a986d7cf164eaeaf

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1957024/+subscriptions

More information about the foundations-bugs mailing list