add new HOME_MODE login.defs(5) option

This option can be used to set a separate mode for useradd(8) and
newusers(8) to create the home directories with.
If this option is not set, the current behavior of using UMASK
or the default umask is preserved.

There are many distributions that set UMASK to 077 by default just
to create home directories not readable by others and use things like
/etc/profile, bashrc or sudo configuration files to set a less
restrictive
umask. This has always resulted in bug reports because it is hard
to follow as users tend to change files like bashrc and are not about
setting the umask to counteract the umask set in /etc/login.defs.

A recent change in sudo has also resulted in many bug reports about
this. sudo now tries to respect the umask set by pam modules and on
systems where pam does not set a umask, the login.defs UMASK value is
used.
This commit is contained in:
Duncan Overbruck 2020-01-11 22:19:37 +01:00
parent ed4a0157c4
commit 085d04c3dd
No known key found for this signature in database
GPG Key ID: 335C1D17EC3D6E35
9 changed files with 66 additions and 7 deletions

View File

@ -195,12 +195,17 @@ KILLCHAR 025
# Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories. # home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered # 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin # for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind. # must make up their mind.
UMASK 022 UMASK 022
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
#HOME_MODE 0700
# #
# Password aging controls: # Password aging controls:
# #

View File

@ -93,6 +93,7 @@ static struct itemdef def_table[] = {
{"FAKE_SHELL", NULL}, {"FAKE_SHELL", NULL},
{"GID_MAX", NULL}, {"GID_MAX", NULL},
{"GID_MIN", NULL}, {"GID_MIN", NULL},
{"HOME_MODE", NULL},
{"HUSHLOGIN_FILE", NULL}, {"HUSHLOGIN_FILE", NULL},
{"KILLCHAR", NULL}, {"KILLCHAR", NULL},
{"LASTLOG_UID_MAX", NULL}, {"LASTLOG_UID_MAX", NULL},

View File

@ -50,6 +50,7 @@
<!ENTITY FAKE_SHELL SYSTEM "login.defs.d/FAKE_SHELL.xml"> <!ENTITY FAKE_SHELL SYSTEM "login.defs.d/FAKE_SHELL.xml">
<!ENTITY FTMP_FILE SYSTEM "login.defs.d/FTMP_FILE.xml"> <!ENTITY FTMP_FILE SYSTEM "login.defs.d/FTMP_FILE.xml">
<!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml"> <!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml">
<!ENTITY HOME_MODE SYSTEM "login.defs.d/HOME_MODE.xml">
<!ENTITY HUSHLOGIN_FILE SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml"> <!ENTITY HUSHLOGIN_FILE SYSTEM "login.defs.d/HUSHLOGIN_FILE.xml">
<!ENTITY ISSUE_FILE SYSTEM "login.defs.d/ISSUE_FILE.xml"> <!ENTITY ISSUE_FILE SYSTEM "login.defs.d/ISSUE_FILE.xml">
<!ENTITY KILLCHAR SYSTEM "login.defs.d/KILLCHAR.xml"> <!ENTITY KILLCHAR SYSTEM "login.defs.d/KILLCHAR.xml">
@ -185,6 +186,7 @@
&FAKE_SHELL; &FAKE_SHELL;
&FTMP_FILE; &FTMP_FILE;
&GID_MAX; <!-- documents also GID_MIN --> &GID_MAX; <!-- documents also GID_MIN -->
&HOME_MODE;
&HUSHLOGIN_FILE; &HUSHLOGIN_FILE;
&ISSUE_FILE; &ISSUE_FILE;
&KILLCHAR; &KILLCHAR;
@ -401,6 +403,7 @@
ENCRYPT_METHOD ENCRYPT_METHOD
GID_MAX GID_MIN GID_MAX GID_MIN
MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB
HOME_MODE
PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE
<phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS <phrase condition="sha_crypt">SHA_CRYPT_MAX_ROUNDS
SHA_CRYPT_MIN_ROUNDS</phrase> SHA_CRYPT_MIN_ROUNDS</phrase>
@ -481,6 +484,7 @@
<para> <para>
CREATE_HOME CREATE_HOME
GID_MAX GID_MIN GID_MAX GID_MIN
HOME_MODE
LASTLOG_UID_MAX LASTLOG_UID_MAX
MAIL_DIR MAX_MEMBERS_PER_GROUP MAIL_DIR MAX_MEMBERS_PER_GROUP
PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE

View File

@ -0,0 +1,43 @@
<!--
Copyright (c) 1991 - 1993, Julianne Frances Haugh
Copyright (c) 1991 - 1993, Chip Rosenthal
Copyright (c) 2007 - 2009, Nicolas François
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the copyright holders or contributors may not be used to
endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<varlistentry>
<term><option>HOME_MODE</option> (number)</term>
<listitem>
<para>
The mode for new home directories. If not specified,
the <option>UMASK</option> is used to create the mode.
</para>
<para>
<command>useradd</command> and <command>newusers</command> use this
to set the mode of the home directory they create.
</para>
</listitem>
</varlistentry>

View File

@ -37,7 +37,8 @@
</para> </para>
<para> <para>
<command>useradd</command> and <command>newusers</command> use this <command>useradd</command> and <command>newusers</command> use this
mask to set the mode of the home directory they create mask to set the mode of the home directory they create if
<option>HOME_MODE</option> is not set.
</para> </para>
<para condition="no_pam"> <para condition="no_pam">
It is also used by <command>login</command> to define users' initial It is also used by <command>login</command> to define users' initial

View File

@ -32,6 +32,7 @@
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY ENCRYPT_METHOD SYSTEM "login.defs.d/ENCRYPT_METHOD.xml"> <!ENTITY ENCRYPT_METHOD SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
<!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml"> <!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml">
<!ENTITY HOME_MODE SYSTEM "login.defs.d/HOME_MODE.xml">
<!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml"> <!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
<!ENTITY MD5_CRYPT_ENAB SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml"> <!ENTITY MD5_CRYPT_ENAB SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
<!ENTITY PASS_MAX_DAYS SYSTEM "login.defs.d/PASS_MAX_DAYS.xml"> <!ENTITY PASS_MAX_DAYS SYSTEM "login.defs.d/PASS_MAX_DAYS.xml">
@ -382,6 +383,7 @@
</variablelist> </variablelist>
<variablelist> <variablelist>
&GID_MAX; <!-- documents also GID_MIN --> &GID_MAX; <!-- documents also GID_MIN -->
&HOME_MODE;
&MAX_MEMBERS_PER_GROUP; &MAX_MEMBERS_PER_GROUP;
</variablelist> </variablelist>
<variablelist condition="no_pam"> <variablelist condition="no_pam">

View File

@ -32,6 +32,7 @@
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY CREATE_HOME SYSTEM "login.defs.d/CREATE_HOME.xml"> <!ENTITY CREATE_HOME SYSTEM "login.defs.d/CREATE_HOME.xml">
<!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml"> <!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml">
<!ENTITY HOME_MODE SYSTEM "login.defs.d/HOME_MODE.xml">
<!ENTITY LASTLOG_UID_MAX SYSTEM "login.defs.d/LASTLOG_UID_MAX.xml"> <!ENTITY LASTLOG_UID_MAX SYSTEM "login.defs.d/LASTLOG_UID_MAX.xml">
<!ENTITY MAIL_DIR SYSTEM "login.defs.d/MAIL_DIR.xml"> <!ENTITY MAIL_DIR SYSTEM "login.defs.d/MAIL_DIR.xml">
<!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml"> <!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
@ -681,6 +682,7 @@
<variablelist> <variablelist>
&CREATE_HOME; &CREATE_HOME;
&GID_MAX; <!-- documents also GID_MIN --> &GID_MAX; <!-- documents also GID_MIN -->
&HOME_MODE;
&LASTLOG_UID_MAX; &LASTLOG_UID_MAX;
&MAIL_DIR; &MAIL_DIR;
&MAX_MEMBERS_PER_GROUP; &MAX_MEMBERS_PER_GROUP;

View File

@ -1216,9 +1216,9 @@ int main (int argc, char **argv)
if ( ('\0' != fields[5][0]) if ( ('\0' != fields[5][0])
&& (access (newpw.pw_dir, F_OK) != 0)) { && (access (newpw.pw_dir, F_OK) != 0)) {
/* FIXME: should check for directory */ /* FIXME: should check for directory */
mode_t msk = 0777 & ~getdef_num ("UMASK", mode_t mode = getdef_num ("HOME_MODE",
GETDEF_DEFAULT_UMASK); 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
if (mkdir (newpw.pw_dir, msk) != 0) { if (mkdir (newpw.pw_dir, mode) != 0) {
fprintf (stderr, fprintf (stderr,
_("%s: line %d: mkdir %s failed: %s\n"), _("%s: line %d: mkdir %s failed: %s\n"),
Prog, line, newpw.pw_dir, Prog, line, newpw.pw_dir,

View File

@ -2155,8 +2155,9 @@ static void create_home (void)
} }
(void) chown (prefix_user_home, user_id, user_gid); (void) chown (prefix_user_home, user_id, user_gid);
chmod (prefix_user_home, mode_t mode = getdef_num ("HOME_MODE",
0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
chmod (prefix_user_home, mode);
home_added = true; home_added = true;
#ifdef WITH_AUDIT #ifdef WITH_AUDIT
audit_logger (AUDIT_ADD_USER, Prog, audit_logger (AUDIT_ADD_USER, Prog,