Testing further, the newer versions of pam_mkhomedir module honours
the umask set in /etc/login.defs. So this has already been made consistent
across tools (useradd & so on). So the problem only exists in Jammy & older
Ubuntu releases.
pam_mkhomedir
The relevant part in /etc/login.defs (from Noble):
```
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
HOME_MODE 0750
```
This HOME_MODE is a recent addition and doesn't exist in Jammy or older.
pam_mkhomedir module honours this now. But anything specified in the "argv"
will override
and will work exactly in the same way.
This was done through the change:
```
pam_mkhomedir: use HOME_MODE or UMASK from /etc/login.defs.
Follow the example of useradd(8) and set the user home directory mode
to the value of HOME_MODE or UMASK configuration item from
/etc/login.defs when umask option is not specified.
```
However, to not have HOME's umask in too many places, I think it's
better to have Plucky change reverted so that there's one less config
file with umask.
To be clear, there's no problem as such with:
https://git.launchpad.net/ubuntu/+source/pam/commit/?id=c576b5c19abb383ce53dfc10a986d7cf164eaeaf
but I am of the opinion having less one source is better. Besides, Plucky was
unaffected by this
issue due to HOME_MODE's existence now.
So I believe the correct approach is to SRU the fix only for older releases
(Jammy & Focal).
To that end, I request Alex to revert the Plucky merge. Sorry Alex, I should
have checked the
newer releases for any potential fixes before proposing mine! Hopefully, it's a
straightforward revert.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1957024
Title:
pam-mkhomedir does not honor private home directories
Status in pam package in Ubuntu:
Fix Released
Status in pam source package in Jammy:
In Progress
Status in pam source package in Noble:
In Progress
Bug description:
[Impact]
A common situation is to have a central set of users (e.g. in LDAP)
and use pam_mkhomedir.so to create the home directory when the user
first logs in.
These changes do not cover this situation. The default configuration
of pam_mkhomedir.so will result in a home directory created with 0755
permissions.
To make pam_mkhomedir.so create a home directory by default with
permissions consistent with the other tools then a umask argument can
be added to the pam_mkhomedir.so module in the file /usr/share/pam-
configs/mkhomedir. I believe this would have to be done before
enabling the module. The file is part of the libpam-modules package.
[Test plan]
1. Test with current defaults and confirm the permission is 0755 for home
directory.
# enable pam_mkhomedir.so configuration
pam-auth-update --enable mkhomedir
# create a user with adduser that creates the home directory
adduser --disabled-password --gecos adduser homemadebyadduser
# create a user with useradd that creates the home directory
useradd --create-home homemadebyuseradd
# create a user with useradd that does *not* create the home directory so
that pam_mkhomedir.so can create it
useradd --no-create-home homemadebymkhomedir
# trigger pam_mkhomedir.so to create the home directory
su - homemadebymkhomedir -c exit
# verify the permissions are 0755 for the one created by pam and 0750 for the
one by adduser'
root@ubuntu:~# ls -al /home
2. Install the package with the fix
# enable mkhomedir again
pam-auth-update --enable mkhomedir
# create a user with useradd that does *not* create the home directory so
that pam_mkhomedir.so can create it
useradd --no-create-home homemadebymkhomedirpatch
# trigger pam_mkhomedir.so to create the home directory
su - homemadebymkhomedirpatch -c exit
# verify that the home dir created by pam has 0750 as well
[ Where problems could occur ]
This could result in inconsistent permissions between existing home
directories created by pam (before the fix) and the ones created with this fix.
While there's no reason to believe it could result in any actual issues, this
can
be mitigated by changing the existing home directories to have 0750 for
consistency.
Anyone in the 'others' group will lose access to the home directories of the
rest of the users whose $HOME was created by pam. That behaviour should be
treated as unexpected as that's how $HOME adduser will behave. In general,
one's not expected to have access to $HOME of others.
In the absolute pathological cases, where it's desired to give to $HOME to
everyone, the permissions can be adjusted manually and the umask can be
changed
in the conf file on those systems. But this should be treated as 'workaround'
and non-standard behaviour.
[other info]
This has been at https://discourse.ubuntu.com/t/private-home-
directories-for-ubuntu-21-04-onwards/19533/13:
And agreed that (1) having $HOME consistent across tools is the right
behaviour and (2) 0750 is the desired permission for $HOME.
This has been merged into Plucky already:
https://git.launchpad.net/ubuntu/+source/pam/commit/?id=c576b5c19abb383ce53dfc10a986d7cf164eaeaf
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1957024/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
