Here is a demonstration as requested in Discourse. These steps were run on a stock image of Ubuntu Impish taken from https://cloud- images.ubuntu.com/impish/current/.
Showing the inconsistent behavior of the default settings if the goal is private home directories. Both adduser and useradd create a home directory that is private but pam_mkhomedir.so does not. # enable pam_mkhomedir.so configuration pam-auth-update --enable mkhomedir # create a user with adduser that creates the home directory adduser --disabled-password --gecos adduser homemadebyadduser # create a user with useradd that creates the home directory useradd --create-home homemadebyuseradd # create a user with useradd that does *not* create the home directory so that pam_mkhomedir.so can create it useradd --no-create-home homemadebymkhomedir # trigger pam_mkhomedir.so to create the home directory su - homemadebymkhomedir -c exit The result is inconsistent permissions on the home directories. root@ubuntu:~# ls -al /home total 24 drwxr-xr-x 6 root root 4096 Jan 11 03:27 . drwxr-xr-x 19 root root 4096 Jan 11 03:13 .. drwxr-x--- 2 homemadebyadduser homemadebyadduser 4096 Jan 11 03:20 homemadebyadduser drwxr-xr-x 2 homemadebymkhomedir homemadebymkhomedir 4096 Jan 11 03:27 homemadebymkhomedir drwxr-x--- 2 homemadebyuseradd homemadebyuseradd 4096 Jan 11 03:23 homemadebyuseradd drwxr-x--- 4 ubuntu ubuntu 4096 Jan 11 03:15 ubuntu Configuring pam_mkhomedir.so to be consistent with the other tools. # update pam_mkhomedir.so configuration sed -i -e "s/pam_mkhomedir.so$/pam_mkhomedir.so umask=0027/" /usr/share/pam-configs/mkhomedir # enable mkhomedir again pam-auth-update --enable mkhomedir # create a user with useradd that does *not* create the home directory so that pam_mkhomedir.so can create it useradd --no-create-home homemadebymkhomedirpatch # trigger pam_mkhomedir.so to create the home directory su - homemadebymkhomedirpatch -c exit The result is the permissions are consistent with the other tools. root@ubuntu:~# ls -l /home/ total 20 drwxr-x--- 2 homemadebyadduser homemadebyadduser 4096 Jan 11 03:20 homemadebyadduser drwxr-xr-x 2 homemadebymkhomedir homemadebymkhomedir 4096 Jan 11 03:27 homemadebymkhomedir drwxr-x--- 2 homemadebymkhomedirpatch homemadebymkhomedirpatch 4096 Jan 11 03:36 homemadebymkhomedirpatch drwxr-x--- 2 homemadebyuseradd homemadebyuseradd 4096 Jan 11 03:23 homemadebyuseradd drwxr-x--- 4 ubuntu ubuntu 4096 Jan 11 03:15 ubuntu -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1957024 Title: pam-mkhomedir does not honor private home directories Status in pam package in Ubuntu: New Bug description: As reported in https://discourse.ubuntu.com/t/private-home- directories-for-ubuntu-21-04-onwards/19533/13: A common situation is to have a central set of users (e.g. in LDAP) and use pam_mkhomedir.so to create the home directory when the user first logs in. These changes do not cover this situation. The default configuration of pam_mkhomedir.so will result in a home directory created with 0755 permissions. To make pam_mkhomedir.so create a home directory by default with permissions consistent with the other tools then a umask argument can be added to the pam_mkhomedir.so module in the file /usr/share/pam- configs/mkhomedir. I believe this would have to be done before enabling the module. The file is part of the libpam-modules package. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1957024/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp