emo/shadow
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity

add new HOME_MODE login.defs(5) option

Browse Source 
This option can be used to set a separate mode for useradd(8) and
newusers(8) to create the home directories with.
If this option is not set, the current behavior of using UMASK
or the default umask is preserved.

There are many distributions that set UMASK to 077 by default just
to create home directories not readable by others and use things like
/etc/profile, bashrc or sudo configuration files to set a less
restrictive
umask. This has always resulted in bug reports because it is hard
to follow as users tend to change files like bashrc and are not about
setting the umask to counteract the umask set in /etc/login.defs.

A recent change in sudo has also resulted in many bug reports about
this. sudo now tries to respect the umask set by pam modules and on
systems where pam does not set a umask, the login.defs UMASK value is
used.
This commit is contained in:
Duncan Overbruck 2020-01-11 22:19:37 +01:00
parent ed4a0157c4
commit 085d04c3dd
No known key found for this signature in database
GPG Key ID: 335C1D17EC3D6E35
9 changed files with 66 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
etc/login.defs
View File

@ -195,12 +195,17 @@ KILLCHAR 025
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
#HOME_MODE 0700
#
# Password aging controls:
#

1
lib/getdef.c
View File

@ -93,6 +93,7 @@ static struct itemdef def_table[] = {
{"FAKE_SHELL", NULL},
{"GID_MAX", NULL},
{"GID_MIN", NULL},
{"HOME_MODE", NULL},
{"HUSHLOGIN_FILE", NULL},
{"KILLCHAR", NULL},
{"LASTLOG_UID_MAX", NULL},

4
man/login.defs.5.xml
View File

@ -50,6 +50,7 @@
<!ENTITY FAKE_SHELL SYSTEM "login.defs.d/FAKE_SHELL.xml">
<!ENTITY FTMP_FILE SYSTEM "login.defs.d/FTMP_FILE.xml">
<!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml">
<!ENTITY HOME_MODE SYSTEM "login.defs.d/HOME_MODE.xml">
<!ENTITY HUSHLOGIN_FILE SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml">
<!ENTITY ISSUE_FILE SYSTEM "login.defs.d/ISSUE_FILE.xml">
<!ENTITY KILLCHAR SYSTEM "login.defs.d/KILLCHAR.xml">
@ -185,6 +186,7 @@
&FAKE_SHELL;
&FTMP_FILE;
&GID_MAX; <!-- documents also GID_MIN -->
&HOME_MODE;
&HUSHLOGIN_FILE;
&ISSUE_FILE;
&KILLCHAR;
@ -401,6 +403,7 @@
ENCRYPT_METHOD
GID_MAX GID_MIN
MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
HOME_MODE
PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
<phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
SHA_CRYPT_MIN_ROUNDS</phrase>
@ -481,6 +484,7 @@
<para>
CREATE_HOME
GID_MAX GID_MIN
HOME_MODE
LASTLOG_UID_MAX
MAIL_DIR MAX_MEMBERS_PER_GROUP
PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE

43
man/login.defs.d/HOME_MODE.xml Normal file
View File

@ -0,0 +1,43 @@
<!--
Copyright (c) 1991 - 1993, Julianne Frances Haugh
Copyright (c) 1991 - 1993, Chip Rosenthal
Copyright (c) 2007 - 2009, Nicolas François
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the copyright holders or contributors may not be used to
endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<varlistentry>
<term><option>HOME_MODE</option> (number)</term>
<listitem>
<para>
The mode for new home directories. If not specified,
the <option>UMASK</option> is used to create the mode.
</para>
<para>
<command>useradd</command> and <command>newusers</command> use this
to set the mode of the home directory they create.
</para>
</listitem>
</varlistentry>

3
man/login.defs.d/UMASK.xml
View File

@ -37,7 +37,8 @@
</para>
<para>
<command>useradd</command> and <command>newusers</command> use this
mask to set the mode of the home directory they create
mask to set the mode of the home directory they create if
<option>HOME_MODE</option> is not set.
</para>
<para condition="no_pam">
It is also used by <command>login</command> to define users' initial

2
man/newusers.8.xml
View File

@ -32,6 +32,7 @@
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY ENCRYPT_METHOD SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
<!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml">
<!ENTITY HOME_MODE SYSTEM "login.defs.d/HOME_MODE.xml">
<!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
<!ENTITY MD5_CRYPT_ENAB SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
<!ENTITY PASS_MAX_DAYS SYSTEM "login.defs.d/PASS_MAX_DAYS.xml">
@ -382,6 +383,7 @@
</variablelist>
<variablelist>
&GID_MAX; <!-- documents also GID_MIN -->
&HOME_MODE;
&MAX_MEMBERS_PER_GROUP;
</variablelist>
<variablelist condition="no_pam">

2
man/useradd.8.xml
View File

@ -32,6 +32,7 @@
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY CREATE_HOME SYSTEM "login.defs.d/CREATE_HOME.xml">
<!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml">
<!ENTITY HOME_MODE SYSTEM "login.defs.d/HOME_MODE.xml">
<!ENTITY LASTLOG_UID_MAX SYSTEM "login.defs.d/LASTLOG_UID_MAX.xml">
<!ENTITY MAIL_DIR SYSTEM "login.defs.d/MAIL_DIR.xml">
<!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
@ -681,6 +682,7 @@
<variablelist>
&CREATE_HOME;
&GID_MAX; <!-- documents also GID_MIN -->
&HOME_MODE;
&LASTLOG_UID_MAX;
&MAIL_DIR;
&MAX_MEMBERS_PER_GROUP;

6
src/newusers.c
View File

@ -1216,9 +1216,9 @@ int main (int argc, char **argv)
if ( ('\0' != fields[5][0])
&& (access (newpw.pw_dir, F_OK) != 0)) {
/* FIXME: should check for directory */
mode_t msk = 0777 & ~getdef_num ("UMASK",
GETDEF_DEFAULT_UMASK);
if (mkdir (newpw.pw_dir, msk) != 0) {
mode_t mode = getdef_num ("HOME_MODE",
0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
if (mkdir (newpw.pw_dir, mode) != 0) {
fprintf (stderr,
_("%s: line %d: mkdir %s failed: %s\n"),
Prog, line, newpw.pw_dir,

5
src/useradd.c
View File

@ -2155,8 +2155,9 @@ static void create_home (void)
}
(void) chown (prefix_user_home, user_id, user_gid);
chmod (prefix_user_home,
0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
mode_t mode = getdef_num ("HOME_MODE",
0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
chmod (prefix_user_home, mode);
home_added = true;
#ifdef WITH_AUDIT
audit_logger (AUDIT_ADD_USER, Prog,