Merge pull request #208 from Duncaen/umask-home

add new UMASK_HOME login.defs option
This commit is contained in:
Serge Hallyn 2020-01-11 16:20:13 -06:00 committed by GitHub
commit 401d0743af
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 19 additions and 7 deletions

View File

@ -195,12 +195,17 @@ KILLCHAR 025
# Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories. # home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered # 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin # for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind. # must make up their mind.
UMASK 022 UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
#HOME_MODE 0700
# #
# Password aging controls: # Password aging controls:
# #

View File

@ -93,6 +93,7 @@ static struct itemdef def_table[] = {
{"FAKE_SHELL", NULL}, {"FAKE_SHELL", NULL},
{"GID_MAX", NULL}, {"GID_MAX", NULL},
{"GID_MIN", NULL}, {"GID_MIN", NULL},
{"HOME_MODE", NULL},
{"HUSHLOGIN_FILE", NULL}, {"HUSHLOGIN_FILE", NULL},
{"KILLCHAR", NULL}, {"KILLCHAR", NULL},
{"LASTLOG_UID_MAX", NULL}, {"LASTLOG_UID_MAX", NULL},

View File

@ -50,6 +50,7 @@
<!ENTITY FAKE_SHELL SYSTEM "login.defs.d/FAKE_SHELL.xml"> <!ENTITY FAKE_SHELL SYSTEM "login.defs.d/FAKE_SHELL.xml">
<!ENTITY FTMP_FILE SYSTEM "login.defs.d/FTMP_FILE.xml"> <!ENTITY FTMP_FILE SYSTEM "login.defs.d/FTMP_FILE.xml">
<!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml"> <!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml">
<!ENTITY HOME_MODE SYSTEM "login.defs.d/HOME_MODE.xml">
<!ENTITY HUSHLOGIN_FILE SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml"> <!ENTITY HUSHLOGIN_FILE SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml">
<!ENTITY ISSUE_FILE SYSTEM "login.defs.d/ISSUE_FILE.xml"> <!ENTITY ISSUE_FILE SYSTEM "login.defs.d/ISSUE_FILE.xml">
<!ENTITY KILLCHAR SYSTEM "login.defs.d/KILLCHAR.xml"> <!ENTITY KILLCHAR SYSTEM "login.defs.d/KILLCHAR.xml">
@ -185,6 +186,7 @@
&FAKE_SHELL; &FAKE_SHELL;
&FTMP_FILE; &FTMP_FILE;
&GID_MAX; <!-- documents also GID_MIN --> &GID_MAX; <!-- documents also GID_MIN -->
&HOME_MODE;
&HUSHLOGIN_FILE; &HUSHLOGIN_FILE;
&ISSUE_FILE; &ISSUE_FILE;
&KILLCHAR; &KILLCHAR;
@ -401,6 +403,7 @@
ENCRYPT_METHOD ENCRYPT_METHOD
GID_MAX GID_MIN GID_MAX GID_MIN
MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
HOME_MODE
PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
<phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
SHA_CRYPT_MIN_ROUNDS</phrase> SHA_CRYPT_MIN_ROUNDS</phrase>
@ -481,6 +484,7 @@
<para> <para>
CREATE_HOME CREATE_HOME
GID_MAX GID_MIN GID_MAX GID_MIN
HOME_MODE
LASTLOG_UID_MAX LASTLOG_UID_MAX
MAIL_DIR MAX_MEMBERS_PER_GROUP MAIL_DIR MAX_MEMBERS_PER_GROUP
PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE

View File

@ -37,7 +37,8 @@
</para> </para>
<para> <para>
<command>useradd</command> and <command>newusers</command> use this <command>useradd</command> and <command>newusers</command> use this
mask to set the mode of the home directory they create mask to set the mode of the home directory they create if
<option>HOME_MODE</option> is not set.
</para> </para>
<para condition="no_pam"> <para condition="no_pam">
It is also used by <command>login</command> to define users' initial It is also used by <command>login</command> to define users' initial

View File

@ -1216,9 +1216,9 @@ int main (int argc, char **argv)
if ( ('\0' != fields[5][0]) if ( ('\0' != fields[5][0])
&& (access (newpw.pw_dir, F_OK) != 0)) { && (access (newpw.pw_dir, F_OK) != 0)) {
/* FIXME: should check for directory */ /* FIXME: should check for directory */
mode_t msk = 0777 & ~getdef_num ("UMASK", mode_t mode = getdef_num ("HOME_MODE",
GETDEF_DEFAULT_UMASK); 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
if (mkdir (newpw.pw_dir, msk) != 0) { if (mkdir (newpw.pw_dir, mode) != 0) {
fprintf (stderr, fprintf (stderr,
_("%s: line %d: mkdir %s failed: %s\n"), _("%s: line %d: mkdir %s failed: %s\n"),
Prog, line, newpw.pw_dir, Prog, line, newpw.pw_dir,

View File

@ -2152,8 +2152,9 @@ static void create_home (void)
} }
(void) chown (prefix_user_home, user_id, user_gid); (void) chown (prefix_user_home, user_id, user_gid);
chmod (prefix_user_home, mode_t mode = getdef_num ("HOME_MODE",
0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
chmod (prefix_user_home, mode);
home_added = true; home_added = true;
#ifdef WITH_AUDIT #ifdef WITH_AUDIT
audit_logger (AUDIT_ADD_USER, Prog, audit_logger (AUDIT_ADD_USER, Prog,