[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: UPG and the default umask

On Mon, May 17, 2010 at 13:26:04 (CEST), Mike Hommey wrote:

>> I believe the pam umask module is the way to go according to
>> http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_umask.html
>> 
>>  [opition] usergroups
>> 
>>     If the user is not root, and the user ID is equal to the group ID,
>> and the username is the same as primary group name, the umask group
>> bits are set to be the same as owner bits (examples: 022 -> 002, 077
>> -> 007).
>
Let's have a look at the source. Note that options->usergroups is set
iff the option "usergroups" is used.

,----[modules/pam_umask/pam_umask.c]
| /* Set the process nice, ulimit, and umask from the
|    password file entry.  */
| static void
| setup_limits_from_gecos (pam_handle_t *pamh, options_t *options,
| 			 struct passwd *pw)
| {
|   char *cp;
| 
|   if (options->usergroups)
|     {
|       /* if not root, and UID == GID, and username is the same as
| 	 primary group name, set umask group bits to be the same as
| 	 owner bits (examples: 022 -> 002, 077 -> 007).  */
|       if (pw->pw_uid != 0 && pw->pw_uid == pw->pw_gid)
| 	{
| 	  struct group *grp = pam_modutil_getgrgid (pamh, pw->pw_gid);
| 	  if (grp && (strcmp (pw->pw_name, grp->gr_name) == 0))
| 	    {
| 	      mode_t oldmask = umask (0777);
| 	      umask ((oldmask & ~070) | ((oldmask >> 3) & 070));
| 	    }
|         }
|     }
| 
|   /* See if the GECOS field contains values for NICE, UMASK or ULIMIT.  */
|   for (cp = pw->pw_gecos; cp != NULL; cp = strchr (cp, ','))
|     {
|       if (*cp == ',')
| 	cp++;
| 
|       if (strncasecmp (cp, "umask=", 6) == 0)
| 	umask (strtol (cp + 6, NULL, 8) & 0777);
|       else if (strncasecmp (cp, "pri=", 4) == 0)
| 	{
| 	  errno = 0;
| 	  if (nice (strtol (cp + 4, NULL, 10)) == -1 && errno != 0)
| 	    {
| 	      if (!options->silent || options->debug)
| 		pam_error (pamh, "nice failed: %m\n");
| 	      pam_syslog (pamh, LOG_ERR, "nice failed: %m");
| 	    }
| 	}
|       else if (strncasecmp (cp, "ulimit=", 7) == 0)
| 	{
| 	  struct rlimit rlimit_fsize;
| 	  rlimit_fsize.rlim_cur = 512L * strtol (cp + 7, NULL, 10);
| 	  rlimit_fsize.rlim_max = rlimit_fsize.rlim_cur;
| 	  if (setrlimit (RLIMIT_FSIZE, &rlimit_fsize) == -1)
| 	    {
| 	      if (!options->silent || options->debug)
| 		pam_error (pamh, "setrlimit failed: %m\n");
| 	      pam_syslog (pamh, LOG_ERR, "setrlimit failed: %m");
| 	    }
|         }
|     }
| }
| 
`----

This part of pam seems to match the documentation in pam_umask(8).

> And it was said in this thread that UID == GID is not always true with
> UPG. You only need to create a group for that to become false for users
> you would create afterwards.

I'd say if Debian's idea of UPG doesn't match pam's, we should either
change the pam implementation or the implementation of Debian's UPG
concept to match each other.

In any case, using pam_umask by default seems to the best approach so far.

-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
Reply to: