|
Bugzilla – Full Text Bug Listing |
| Summary: | changing default umask for new users homedir sets the current umask for ALL users including root | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Boehmer <joergboe44> |
| Component: | Security | Assignee: | Security Team bot <security-team> |
| Status: | NEW --- | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P4 - Low | CC: | joergboe44, oxwrongagain |
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | x86-64 | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | Community User | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
Screenshot: YaST Users -> Tab "Defaults for New Users"
Screenshot: Help text for that screen |
||
|
Description
Boehmer
2023-11-22 18:23:04 UTC
Created attachment 870921 [details]
Screenshot: YaST Users -> Tab "Defaults for New Users"
Created attachment 870922 [details]
Screenshot: Help text for that screen
man 5 login.defs:
LOGIN.DEFS(5) File Formats and Conversions LOGIN.DEFS(5)
NAME
login.defs - shadow password suite configuration
DESCRIPTION
The /etc/login.defs file defines the site-specific configuration for
the shadow password suite. This file is required. Absence of this file
will not prevent system operation, but will probably result in
undesirable operation.
...
...
UMASK (number)
The file mode creation mask is initialized to this value. If not
specified, the mask will be initialized to 022.
useradd and newusers use this mask to set the mode of the home
directory they create if HOME_MODE is not set.
It is also used by login to define users' initial umask. Note that
this mask can be overridden by the user's GECOS line (if
QUOTAS_ENAB is set) or by the specification of a limit with the K
identifier in limits(5).
I have been working on Unix/Linux systems since the late 1980s. Back then it was always strongly advised that users set their own umask in one of the shell startup files to make sure they get the one that they want. It appears that this fell out of fashion over the decades, so now this falls back to some site-specific value. And this is obviously the value in /etc/login.defs, (Leap 15.5) or one of the files in /etc/login.defs.d. That is what the YaST users modules sets. It doesn't explicitly say so in the help text. This is admittedly an omission, but we have to put a limit to the text there; it's not a subsitute for the system documentation, and those things are subject to change between different products and between releases. So, is this suprising? I am not so sure. I have always made sure to set the umask explicitly. Is it dangerous? I don't think so. No responsible sysadmin would set this global default umask to a very permissive value; much more likely it will be set to a very restrictive one. And let's not forget that the umask is only a default, so we are talking about the default of a default. For every file that you create, especially as root, it is always advised to check the permissions if they are set to make that file usable for whoever is supposed to use it. In most cases, no other users need to use it. For directories, it has to be decided on a case-by-case basis. Having said that, this is not at all a YaST specific issue; it is how the system is designed and configured by default. It is certainly easier to change the umask at a central place like /etc/login.defs or a file in /etc/login.defs.d than advising all users on a system to change it manually in one of their shell startup files. But if users decide they have a need for a different umask, they can always override the default with their own settings; and I personally would always do that. And on my systems, I also always do that for root. Let's hear what our security team has to say about this. Maybe it's not really dangerous. But is at least very confusing behavior. It was also reported as a bug once (Bug 606249) and has been fixed. There is also a crucial difference between Leap 15.5 and Tumbleweed: In Leap, the value 'Umask for Home Directory' only sets the permissions for the home directory. The umask for new logins is unchanged (022). - This is what I expect and the help text also describes. In Tumbleweed, the value 'Umask for Home Directory' sets the permissions for the home directory of the newly created user AND the umask for all new logins (of all users). This changes the system behavior for all other users (including root) if the umask is not explicitly set in the profile or elsewhere. The standard configuration (profile, bashrc ..) does not set the UMASK. (See also https://en.opensuse.org/SDB:Set_UMASK) If you look at the configuration files in Tumbleweed, you will see that there is no file '/etc/login.defs'. There is only '/usr/etc/login.defs'. It seems that the PAM module reads the default umask directly from the file '/etc/login.defs.d/70-yast.defs' if '/etc/login.defs' does not exist. Why isn't the 'Umask for Home Directory' saved as the HOME_MODE variable? man login.defs ... HOME_MODE (number) The mode for new home directories. If not specified, the UMASK is used to create the mode. Yes, in TW many files were already migrated from /etc to /usr/etc, and many packages / subsystems now use a /usr/etc/something.d directory instead of formerly a single /etc/something config file. But that doesn't change the principle. This change makes the difference: In TW (it seems) that the pam_umask evaluates files in /etc/login.defs.d/ before file /usr/etc/login.defs. And thus the UMASK entry in /etc/login.defs.d/70-yast.defs causes the strange behavior. In Leap: pam_umask ignores obviously files in /etc/login.defs.d I am going to GUESS that yast is modifying "/etc/login.defs", which is part of pam.
I played with this some time back and could not find a way to exclude root.
See the pam_umask man page:
The PAM module tries to get the umask value from the following places in the following order:
• umask= entry in the user's GECOS field
• umask= argument
• UMASK= entry from /etc/login.defs
• UMASK= entry from /etc/default/login
The GECOS field is split on comma ',' characters. The module also in addition to the umask= entry recognizes pri= entry, which sets the nice priority
value for the session, and ulimit= entry, which sets the maximum size of files the processes in the session can create.
No.
In TW there is no /etc/login.defs:
ll /etc/login.defs
ls: cannot access '/etc/login.defs': No such file or directory
The yast changes the file /etc/login.defs.d/70-yast.defs:
--- /.snapshots/1353/snapshot/etc/login.defs.d/70-yast.defs 2024-06-21 18:40:27.621291748 +0200
+++ /.snapshots/1354/snapshot/etc/login.defs.d/70-yast.defs 2024-07-19 18:24:07.444027813 +0200
@@ -10,4 +10,4 @@
SYS_UID_MIN 100
SYS_GID_MAX 499
SYS_GID_MIN 100
-UMASK 022
+UMASK 002
And this changes directly the umask for all new logins:
su --login root
Password:
pluto:~ # umask
0002
su --login alibaba
Password:
alibaba@pluto:~> umask
0002
IMO the yast stores the 'Defaults for New Users' -> 'Umask for Home Directory' in an inappropriate place and/or with an inappropriate name.
|