[Bug 1217414] New: changing default umask for new users homedir sets the current umask for ALL users including root
https://bugzilla.suse.com/show_bug.cgi?id=1217414 Bug ID: 1217414 Summary: changing default umask for new users homedir sets the current umask for ALL users including root Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: YaST2 Assignee: yast2-maintainers@suse.de Reporter: joergboe44@googlemail.com QA Contact: jsrain@suse.com Target Milestone: --- Found By: --- Blocker: --- When I change the default umask for new users home dir, the umask for all users (including root) is changed after login. This is not what I expect and may be dangerousö. OS version: openSUSE Tumbleweed 20231121 Steps to reproduce: 1. Check the umask setting for a user or root: su --login test2 Password: test2@localhost:~> umask 0022 2. Change the umask for home directory of new users: Yast->User and group management->Defaults for new users: Change umask for home directory to 002 3. Login as a user or root e.g 'su --login' su --login test2 Password: test2@localhost:~> umask 0002 The umask is changed for all users. This bug is almost the same as in Bugzilla – Bug 606249. But the behavior is obviously changed since then. In the current Tumbleweed version the YAST changes the UMASK in file /etc/login.defs.d/70-yast.defs And this seems to be enough to change the umask for the next login. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1217414 Boehmer <joergboe44@googlemail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P4 - Low Found By|--- |Community User CC| |joergboe44@googlemail.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1217414 https://bugzilla.suse.com/show_bug.cgi?id=1217414#c6 --- Comment #6 from Boehmer <joergboe44@googlemail.com> --- Maybe it's not really dangerous. But is at least very confusing behavior. It was also reported as a bug once (Bug 606249) and has been fixed. There is also a crucial difference between Leap 15.5 and Tumbleweed: In Leap, the value 'Umask for Home Directory' only sets the permissions for the home directory. The umask for new logins is unchanged (022). - This is what I expect and the help text also describes. In Tumbleweed, the value 'Umask for Home Directory' sets the permissions for the home directory of the newly created user AND the umask for all new logins (of all users). This changes the system behavior for all other users (including root) if the umask is not explicitly set in the profile or elsewhere. The standard configuration (profile, bashrc ..) does not set the UMASK. (See also https://en.opensuse.org/SDB:Set_UMASK) If you look at the configuration files in Tumbleweed, you will see that there is no file '/etc/login.defs'. There is only '/usr/etc/login.defs'. It seems that the PAM module reads the default umask directly from the file '/etc/login.defs.d/70-yast.defs' if '/etc/login.defs' does not exist. Why isn't the 'Umask for Home Directory' saved as the HOME_MODE variable? man login.defs ... HOME_MODE (number) The mode for new home directories. If not specified, the UMASK is used to create the mode. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1217414 https://bugzilla.suse.com/show_bug.cgi?id=1217414#c9 Charles Wight <oxwrongagain@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |oxwrongagain@gmail.com --- Comment #9 from Charles Wight <oxwrongagain@gmail.com> --- I am going to GUESS that yast is modifying "/etc/login.defs", which is part of pam. I played with this some time back and could not find a way to exclude root. See the pam_umask man page: The PAM module tries to get the umask value from the following places in the following order: • umask= entry in the user's GECOS field • umask= argument • UMASK= entry from /etc/login.defs • UMASK= entry from /etc/default/login The GECOS field is split on comma ',' characters. The module also in addition to the umask= entry recognizes pri= entry, which sets the nice priority value for the session, and ulimit= entry, which sets the maximum size of files the processes in the session can create. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com