Bug#672936: lsh-server: does not respect umask
Sam Geeraerts writes:
> The default umask on a Squeeze system is 0022. However, when I
> connect via ssh to lsh-server on my Squeeze system the umask
> in the session is . It would make more sense to also have
> 0022 there.
Hi,
I had totally forgotten about this problem, but I was recently bitten by
it myself. And it turned out that it really has nothing to do with PAM,
it was a bug in lshd's daemon setup code, which cleared the umask for no
good reason. Which didn't matter much as long as we had /etc/profile and
other environment setup scripts set umask explicitly.
I just committed a fix and a test case to the stable branch
("lsh-2.0.4").
See
https://git.lysator.liu.se/lsh/lsh/commit/99b8bf8cf29a8a5e6cb63edd5c46bfa337b5a1d2,
and the next commit with the test case,
https://git.lysator.liu.se/lsh/lsh/commit/7f667afab075cf7cb3983bffa627e0c9345b9e72
With this change, shells spawned by lshd will inherit the umask the lshd
process was started with.
Regards,
/Niels
--
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.
Bug#672936: lsh-server: does not respect umask
Sam Geeraerts writes: > The comments in doc/NOTES indicate that's it's not going to happen in > the future either. It's some years since I wrote that... There was also some discussion on debian lists at the time. I'm still not very fond of PAM, and I think it is unfortunate if its use is mandatory on debian. Nevertheless, if you look at the code intended to become lsh-3.0, it would be a bit more reasonable to add real PAM support, since the user authentication will run as a spearate process (lshd-userauth), which can even use blocking i/o. But that's not going to happen soon, so it's of little help for the debian package of current lsh. > Although the code does seem to have some PAM support in the form of > lsh-pam-checkpw. That somewhat crude hack is only for verifying passwords against PAM. > But that probably wouldn't set the umask if it were enabled. You're right. It doesn't do anything related to the state of login sessions. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#672936: lsh-server: does not respect umask
Niels Möller wrote: And now enter lshd, which is *not* PAMified. The comments in doc/NOTES indicate that's it's not going to happen in the future either. Although the code does seem to have some PAM support in the form of lsh-pam-checkpw. But that probably wouldn't set the umask if it were enabled. I'm not sure what the status of PAM is in debian. Does policy say that all login-like services must use PAM, and if you don't use PAM, you're on your own? Or is there some recommended way for non-PAM-services to get this right on Debian? No idea. With doc/NOTES in mind, I wonder why OpenSSH developers did choose to implement PAM. One possible workaround might be to add a script to /etc/profile.d which does something like while read key value rest_of_line ; do if [ "$key" = "UMASK" ] ; then umask "$value" fi done << EOF `cat /etc/login.defs` EOF Indeed a nice way to work around it until there's a real solution. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#672936: lsh-server: does not respect umask
Sam Geeraerts writes: > The default umask on a Squeeze system is 0022. However, when I > connect via ssh to lsh-server on my Squeeze system the umask > in the session is . It would make more sense to also have > 0022 there. I think traditionally, setting up the default umask was a job for the login shell, typicallly configured in /etc/profile. >From a quick look, it seems umask is no longer set up i /etc/profile, but by some PAM module, configured via /etc/login.defs. Not sure exactly where, though. The documentation says its "pam_umask", but no such module is mentioned in any file under /etc/pam.d/*, as far as I can see. And now enter lshd, which is *not* PAMified. I'm not sure what the status of PAM is in debian. Does policy say that all login-like services must use PAM, and if you don't use PAM, you're on your own? Or is there some recommended way for non-PAM-services to get this right on Debian? One possible workaround might be to add a script to /etc/profile.d which does something like while read key value rest_of_line ; do if [ "$key" = "UMASK" ] ; then umask "$value" fi done << EOF `cat /etc/login.defs` EOF Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#672936: lsh-server: does not respect umask
Package: lsh-server Version: 2.0.4-dfsg-7 Severity: normal The default umask on a Squeeze system is 0022. However, when I connect via ssh to lsh-server on my Squeeze system the umask in the session is . It would make more sense to also have 0022 there. -- System Information: Debian Release: 6.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores) Locale: LANG=nl_BE.UTF-8, LC_CTYPE=nl_BE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages lsh-server depends on: ii debc 1.5.36.1Debian configuration management sy ii libc 2.11.3-2Embedded GNU C Library: Shared lib ii libg 2:4.3.2+dfsg-1 Multiprecision arithmetic library ii libh 2.0-2 low level cryptographic library (p ii libk 1.4.0~git20100726.dfsg.1-2+squeeze1 Heimdal Kerberos - libraries ii libn 2.0-2 low level cryptographic library (s ii libo 1.0-8 Event loop management library ii libp 1.1.1-6.1+squeeze1 Pluggable Authentication Modules l ii libw 7.6.q-19Wietse Venema's TCP wrappers libra ii lsh- 2.0.4-dfsg-7Secure Shell v2 (SSH2) protocol ut ii open 0.4.1 list of default blacklisted OpenSS ii zlib 1:1.2.3.4.dfsg-3compression library - runtime Versions of packages lsh-server recommends: ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op Versions of packages lsh-server suggests: ii lsh-client2.0.4-dfsg-7 Secure Shell v2 (SSH2) protocol cl pn lsh-doc(no description available) ii openssh-client1:5.5p1-6+squeeze1 secure shell (SSH) client, for sec -- debconf information: lsh-server/purge_hostkey: false lsh-server/sftp: false lsh-server/lshd_port: 22 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
