Bug#646692: pam_umask: umask in /etc/login.defs not respected cause libpam_umask is not configured

2020-06-10 Thread Martin Steigerwald 
Dear Steve, dear Andreas, dear Debian contributors,

Revisiting this topic for my trainings I see that this is not yet fixed.

*However* there is a merge request available in Salsa:

enable usergroups and add pam_umask in common-session(-noninteractive)

https://salsa.debian.org/vorlon/pam/-/merge_requests/3

Any chance you could merge it in time for Bullseye?

For now I will document that one still has to enable pam_umask manually.
Also pam-auth-update does not offer to enable it so I manually added

session optional   pam_umask.so

after end of 'pam-auth-update' maintained block in /etc/pam.d/common-
session.

After this PAM sets the umask according to the UMASK setting in
'/etc/login.defs'.

(Sorry for long signature and probably added HTML part, I can't
influence this for my work mail account.)

Best,

Mit freundlichen Grüßen / With kind regards
Martin Steigerwald •
Proact Deutschland GmbH
Trainer
Telefon: +49 911 30999 0 •
Fax: +49 911 30999 99
Südwestpark 43 •
90449 Nürnberg •
Germany
martin.steigerw...@proact.de •
www.proact.de
Amtsgericht Nürnberg
 •
HRB 18320
Geschäftsführer:
René Schülein
 •
Jonas Hasselberg
 •
Jonas Persson
•
Oliver Kügow
– Delivering Business Agility –

Bug#646692: pam_umask: umask in /etc/login.defs not respected cause libpam_umask is not configured

2011-10-26 Thread Martin Steigerwald 
Package: libpam-modules
Version: 1.1.3-4
Severity: normal

During holding a training about Linux basics, chapters users &
permissions, I revisited the issue on how to set the umask on
Debian.

I knew it should be set via pam_umask. I did it this way to
set umask 002 for our Linux workstations.

Today I grepped for other locations and found:

root@vm6601a:/etc# grep umask *
login.defs:#UMASK   Default "umask" value.
login.defs:# UMASK is the default umask value for pam_umask and is used by
login.defs:# Other former uses of this variable such as setting the umask when
ltrace.conf:octal umask(octal);
ltrace.conf:octal SYS_umask(octal);
profile:# The default umask is now handled by pam_umask.
profile:# See pam_umask(8) and /etc/login.defs.

Then I went the way recommended by the comments in profile.

But it doesn´t work, the setting for UMASK is not respected for
logins on tty as well as via SSH or KDM:

root@vm6601a:~# grep "^UMASK" /etc/login.defs 
UMASK   002
root@vm6601a:~# umask
0022

(That is after a reboot of the virtual machine.)


On SLES 11 setting umask in /etc/login.defs has the desired effect.

I bet this is due to

vm6601b:/etc/pam.d # grep umask *
common-session:session  optionalpam_umask.so
common-session.pam-config-backup:session optional   pam_umask.so
common-session-pc:session   optionalpam_umask.so

for SLES 11 versus

root@vm6601a:/etc/pam.d# grep -i umask *
root@vm6601a:/etc/pam.d#

for Debian Squeeze or

merkaba:/etc/pam.d> grep -i umask *
merkaba:/etc/pam.d#1>

for the Debian Sid laptop I am reporting this from.


Expected results:

Setting umask in /etc/login.defs works as advertised in /etc/profile.


Actual results:

Setting umask there has no effect.


Related bugs:

Personal groups should result in umask 002 by default
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643560


Possible work-around for Squeeze:

For Squeeze add a hint to /etc/profile that pam_umask needs to
be configured first. I would prefer pam_umask configuration
to be added tough.

Thanks,
Martin Steigerwald

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (120, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libpam-modules depends on:
ii  debconf [debconf-2.0]  1.5.41   
ii  libc6  2.13-21  
ii  libdb5.1   5.1.25-11
ii  libpam-modules-bin 1.1.3-4  
ii  libpam0g   1.1.3-4  
ii  libselinux12.1.0-1  

libpam-modules recommends no packages.

libpam-modules suggests no packages.

-- debconf information:
  libpam-modules/disable-screensaver:



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org