Bugzilla – Bug 1217414
changing default umask for new users homedir sets the current umask for ALL users including root
Last modified: 2024-07-19 16:38:34 UTC
When I change the default umask for new users home dir, the umask for all users (including root) is changed after login. This is not what I expect and may be dangerousö. OS version: openSUSE Tumbleweed 20231121 Steps to reproduce: 1. Check the umask setting for a user or root: su --login test2 Password: test2@localhost:~> umask 0022 2. Change the umask for home directory of new users: Yast->User and group management->Defaults for new users: Change umask for home directory to 002 3. Login as a user or root e.g 'su --login' su --login test2 Password: test2@localhost:~> umask 0002 The umask is changed for all users. This bug is almost the same as in Bugzilla – Bug 606249. But the behavior is obviously changed since then. In the current Tumbleweed version the YAST changes the UMASK in file /etc/login.defs.d/70-yast.defs And this seems to be enough to change the umask for the next login.
Created attachment 870921 [details] Screenshot: YaST Users -> Tab "Defaults for New Users"
Created attachment 870922 [details] Screenshot: Help text for that screen
man 5 login.defs: LOGIN.DEFS(5) File Formats and Conversions LOGIN.DEFS(5) NAME login.defs - shadow password suite configuration DESCRIPTION The /etc/login.defs file defines the site-specific configuration for the shadow password suite. This file is required. Absence of this file will not prevent system operation, but will probably result in undesirable operation. ... ... UMASK (number) The file mode creation mask is initialized to this value. If not specified, the mask will be initialized to 022. useradd and newusers use this mask to set the mode of the home directory they create if HOME_MODE is not set. It is also used by login to define users' initial umask. Note that this mask can be overridden by the user's GECOS line (if QUOTAS_ENAB is set) or by the specification of a limit with the K identifier in limits(5).
I have been working on Unix/Linux systems since the late 1980s. Back then it was always strongly advised that users set their own umask in one of the shell startup files to make sure they get the one that they want. It appears that this fell out of fashion over the decades, so now this falls back to some site-specific value. And this is obviously the value in /etc/login.defs, (Leap 15.5) or one of the files in /etc/login.defs.d. That is what the YaST users modules sets. It doesn't explicitly say so in the help text. This is admittedly an omission, but we have to put a limit to the text there; it's not a subsitute for the system documentation, and those things are subject to change between different products and between releases. So, is this suprising? I am not so sure. I have always made sure to set the umask explicitly. Is it dangerous? I don't think so. No responsible sysadmin would set this global default umask to a very permissive value; much more likely it will be set to a very restrictive one. And let's not forget that the umask is only a default, so we are talking about the default of a default. For every file that you create, especially as root, it is always advised to check the permissions if they are set to make that file usable for whoever is supposed to use it. In most cases, no other users need to use it. For directories, it has to be decided on a case-by-case basis. Having said that, this is not at all a YaST specific issue; it is how the system is designed and configured by default. It is certainly easier to change the umask at a central place like /etc/login.defs or a file in /etc/login.defs.d than advising all users on a system to change it manually in one of their shell startup files. But if users decide they have a need for a different umask, they can always override the default with their own settings; and I personally would always do that. And on my systems, I also always do that for root.
Let's hear what our security team has to say about this.
Maybe it's not really dangerous. But is at least very confusing behavior. It was also reported as a bug once (Bug 606249) and has been fixed. There is also a crucial difference between Leap 15.5 and Tumbleweed: In Leap, the value 'Umask for Home Directory' only sets the permissions for the home directory. The umask for new logins is unchanged (022). - This is what I expect and the help text also describes. In Tumbleweed, the value 'Umask for Home Directory' sets the permissions for the home directory of the newly created user AND the umask for all new logins (of all users). This changes the system behavior for all other users (including root) if the umask is not explicitly set in the profile or elsewhere. The standard configuration (profile, bashrc ..) does not set the UMASK. (See also https://en.opensuse.org/SDB:Set_UMASK) If you look at the configuration files in Tumbleweed, you will see that there is no file '/etc/login.defs'. There is only '/usr/etc/login.defs'. It seems that the PAM module reads the default umask directly from the file '/etc/login.defs.d/70-yast.defs' if '/etc/login.defs' does not exist. Why isn't the 'Umask for Home Directory' saved as the HOME_MODE variable? man login.defs ... HOME_MODE (number) The mode for new home directories. If not specified, the UMASK is used to create the mode.
Yes, in TW many files were already migrated from /etc to /usr/etc, and many packages / subsystems now use a /usr/etc/something.d directory instead of formerly a single /etc/something config file. But that doesn't change the principle.
This change makes the difference: In TW (it seems) that the pam_umask evaluates files in /etc/login.defs.d/ before file /usr/etc/login.defs. And thus the UMASK entry in /etc/login.defs.d/70-yast.defs causes the strange behavior. In Leap: pam_umask ignores obviously files in /etc/login.defs.d
I am going to GUESS that yast is modifying "/etc/login.defs", which is part of pam. I played with this some time back and could not find a way to exclude root. See the pam_umask man page: The PAM module tries to get the umask value from the following places in the following order: • umask= entry in the user's GECOS field • umask= argument • UMASK= entry from /etc/login.defs • UMASK= entry from /etc/default/login The GECOS field is split on comma ',' characters. The module also in addition to the umask= entry recognizes pri= entry, which sets the nice priority value for the session, and ulimit= entry, which sets the maximum size of files the processes in the session can create.
No. In TW there is no /etc/login.defs: ll /etc/login.defs ls: cannot access '/etc/login.defs': No such file or directory The yast changes the file /etc/login.defs.d/70-yast.defs: --- /.snapshots/1353/snapshot/etc/login.defs.d/70-yast.defs 2024-06-21 18:40:27.621291748 +0200 +++ /.snapshots/1354/snapshot/etc/login.defs.d/70-yast.defs 2024-07-19 18:24:07.444027813 +0200 @@ -10,4 +10,4 @@ SYS_UID_MIN 100 SYS_GID_MAX 499 SYS_GID_MIN 100 -UMASK 022 +UMASK 002 And this changes directly the umask for all new logins: su --login root Password: pluto:~ # umask 0002 su --login alibaba Password: alibaba@pluto:~> umask 0002 IMO the yast stores the 'Defaults for New Users' -> 'Umask for Home Directory' in an inappropriate place and/or with an inappropriate name.