Bug#583958: enable pam_umask usergroups by default

[Martin Pitt]

Hello all,

I created a branch and merge proposal [1] for this, it's working
nicely here. Thanks to pam-auth-update pam_umask also gets added on
upgrade.

I also attach the changes as a patch for offline convenience.

If you are happy with this, I can also send a patch for
http://bugs.debian.org/583971 to update the documentation comments in
login.defs, but C. Gatzemeier's proposed comment already sounds good
to me (just needs some tiny adjustments for the "usergroups" option
deprecation).

Thanks,

Martin

[1] https://code.launchpad.net/~pitti/pam/pam-umask/+merge/65451
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

=== modified file 'debian/changelog'
--- debian/changelog    2011-06-07 08:49:28 +0000
+++ debian/changelog    2011-06-22 07:44:50 +0000
@@ -1,8 +1,19 @@
 pam (1.1.3-1ubuntu3) UNRELEASED; urgency=low
 
+  [ Steve Langasek ]
   * debian/patches/pam_motd-legal-notice: use pam_modutil_gain/drop_priv
     common helper functions, instead of hand-rolled uid-setting code.
 
+  [ Martin Pitt ]
+  * debian/local/common-session{,-noninteractive}: Enable pam_umask by
+    default, now that the umask setting is gone from /etc/profile.
+    (LP: #253096, UbuntuSpec:umask-to-0002)
+  * Add debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
+    Deprecate pam_unix' explicit "usergroups" option and instead read it from
+    /etc/login.def's "USERGROUP_ENAB" option if umask is only defined there.
+    This restores compatibility with the pre-PAM behaviour of login.
+    (Closes: #583958)
+
  -- Steve Langasek <steve.langa...@ubuntu.com>  Tue, 07 Jun 2011 01:36:44 -0700
 
 pam (1.1.3-1ubuntu2) oneiric; urgency=low

=== modified file 'debian/local/common-session'
--- debian/local/common-session 2009-01-08 06:43:32 +0000
+++ debian/local/common-session 2011-06-22 06:54:59 +0000
@@ -20,6 +20,11 @@
 # this avoids us returning an error just because nothing sets a success code
 # since the modules above will each just jump around
 session        required                        pam_permit.so
+# The pam_umask module will set the umask according to the system default in
+# /etc/login.defs and user settings, solving the problem of different
+# umask settings with different shells, display managers, remote sessions etc.
+# See "man pam_umask".
+session optional                       pam_umask.so
 # and here are more per-package modules (the "Additional" block)
 $session_additional
 # end of pam-auth-update config

=== modified file 'debian/local/common-session-noninteractive'
--- debian/local/common-session-noninteractive  2009-08-18 23:25:06 +0000
+++ debian/local/common-session-noninteractive  2011-06-22 06:54:36 +0000
@@ -20,6 +20,11 @@
 # this avoids us returning an error just because nothing sets a success code
 # since the modules above will each just jump around
 session        required                        pam_permit.so
+# The pam_umask module will set the umask according to the system default in
+# /etc/login.defs and user settings, solving the problem of different
+# umask settings with different shells, display managers, remote sessions etc.
+# See "man pam_umask".
+session optional                       pam_umask.so
 # and here are more per-package modules (the "Additional" block)
 $session_nonint_additional
 # end of pam-auth-update config

=== added file 
'debian/patches-applied/pam_umask_usergroups_from_login.defs.patch'
--- debian/patches-applied/pam_umask_usergroups_from_login.defs.patch   
1970-01-01 00:00:00 +0000
+++ debian/patches-applied/pam_umask_usergroups_from_login.defs.patch   
2011-06-22 07:46:04 +0000
@@ -0,0 +1,90 @@
+Description: Deprecate pam_unix' explicit "usergroups" option and instead read 
it from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined 
there. This restores compatibility with the pre-PAM behaviour of login. See 
https://blueprints.launchpad.net/ubuntu/+spec/umask-to-0002.
+Author: Martin Pitt <martin.p...@ubuntu.com>
+Bug-Debian: http://bugs.debian.org/583958
+
+=== modified file 'modules/pam_umask/pam_umask.c'
+Index: pam/modules/pam_umask/pam_umask.c
+===================================================================
+--- pam.orig/modules/pam_umask/pam_umask.c     2011-06-22 09:42:53.437351755 
+0200
++++ pam/modules/pam_umask/pam_umask.c  2011-06-22 09:45:26.927354878 +0200
+@@ -87,7 +87,7 @@
+ }
+ 
+ static char *
+-search_key (const char *filename)
++search_key (const char *filename, const char *key)
+ {
+   FILE *fp;
+   char *buf = NULL;
+@@ -142,7 +142,7 @@
+         while (isspace ((int)*cp) || *cp == '=')
+           ++cp;
+ 
+-      if (strcasecmp (tmp, "UMASK") == 0)
++      if (strcasecmp (tmp, key) == 0)
+       {
+         retval = strdup (cp);
+         break;
+@@ -159,15 +159,34 @@
+ get_options (const pam_handle_t *pamh, options_t *options,
+            int argc, const char **argv)
+ {
++  char *result;
++
+   memset (options, 0, sizeof (options_t));
+   /* Parse parameters for module */
+   for ( ; argc-- > 0; argv++)
+     parse_option (pamh, *argv, options);
+ 
+   if (options->umask == NULL)
+-    options->umask = search_key (LOGIN_DEFS);
++    {
++      options->umask = search_key (LOGIN_DEFS, "UMASK");
++      /* login.defs' USERGROUPS_ENAB will modify the UMASK setting there by 
way
++       * of usergroups; but we don't want it to influence umask definitions
++       * from other places (like GECOS). This restores compatibility with
++       * shadow from the pre-PAM age.
++       */ 
++      if (options->umask != NULL)
++      {
++        result = search_key (LOGIN_DEFS, "USERGROUPS_ENAB");
++        if (result != NULL)
++          {
++            options->usergroups = (strcasecmp (result, "yes") == 0);
++            free (result);
++          }
++      }
++    }
++
+   if (options->umask == NULL)
+-    options->umask = search_key (LOGIN_CONF);
++    options->umask = search_key (LOGIN_CONF, "UMASK");
+ 
+   return 0;
+ }
+Index: pam/modules/pam_umask/pam_umask.8.xml
+===================================================================
+--- pam.orig/modules/pam_umask/pam_umask.8.xml 2011-06-22 09:45:38.997355122 
+0200
++++ pam/modules/pam_umask/pam_umask.8.xml      2011-06-22 09:45:44.147355228 
+0200
+@@ -73,7 +73,8 @@
+         </listitem>
+         <listitem>
+           <para>
+-            UMASK entry from /etc/login.defs
++            UMASK entry from /etc/login.defs (influenced by USERGROUPS_ENAB in
++          /etc/login.defs)
+           </para>
+         </listitem>
+       </itemizedlist>
+@@ -118,6 +119,11 @@
+               If the user is not root and the username is the same as
+               primary group name, the umask group bits are set to be the
+               same as owner bits (examples: 022 -> 002, 077 -> 007).
++            Note that using this option explicitly is discouraged. pam_umask
++            enables this functionality by default if /etc/login.defs enables
++            USERGROUPS_ENAB, and the umask is not set explicitly in other
++            places than /etc/login.defs (this is compatible with login's
++            behaviour without PAM).
+             </para>
+           </listitem>
+         </varlistentry>

=== modified file 'debian/patches-applied/series'
--- debian/patches-applied/series       2011-05-13 13:03:15 +0000
+++ debian/patches-applied/series       2011-06-22 07:39:45 +0000
@@ -25,3 +25,4 @@
 ubuntu-rlimit_nice_correction 
 update-motd-manpage-ref
 lib_security_multiarch_compat
+pam_umask_usergroups_from_login.defs.patch

signature.asc
Description: Digital signature