Re: UPG and the default umask
* Reinhard Tartler <siretart@debian.org> [100517 08:56]:
> Let's have a look at the source. Note that options->usergroups is set
> iff the option "usergroups" is used.
>
> ,----[modules/pam_umask/pam_umask.c]
> | /* Set the process nice, ulimit, and umask from the
> | password file entry. */
> | static void
> | setup_limits_from_gecos (pam_handle_t *pamh, options_t *options,
> | struct passwd *pw)
> | {
> | char *cp;
> |
> | if (options->usergroups)
> | {
> | /* if not root, and UID == GID, and username is the same as
> | primary group name, set umask group bits to be the same as
> | owner bits (examples: 022 -> 002, 077 -> 007). */
> | if (pw->pw_uid != 0 && pw->pw_uid == pw->pw_gid)
> | {
> | struct group *grp = pam_modutil_getgrgid (pamh, pw->pw_gid);
> | if (grp && (strcmp (pw->pw_name, grp->gr_name) == 0))
> | {
> | mode_t oldmask = umask (0777);
> | umask ((oldmask & ~070) | ((oldmask >> 3) & 070));
> | }
> | }
> | }
> `----
>
> This part of pam seems to match the documentation in pam_umask(8).
>
> > And it was said in this thread that UID == GID is not always true with
> > UPG. You only need to create a group for that to become false for users
> > you would create afterwards.
>
> I'd say if Debian's idea of UPG doesn't match pam's, we should either
> change the pam implementation or the implementation of Debian's UPG
> concept to match each other.
>
> In any case, using pam_umask by default seems to the best approach so far.
This looks like a bug in pam_umask. UPG has never guaranteed uid=gid.
I'll file a bug.
...Marvin
Reply to: