pam_umask.so not called in /etc/pam.d/common-session{,-noninteractive}
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam (Ubuntu) |
Fix Released
|
Medium
|
Martin Pitt |
Bug Description
The pam_umask.so module determines the umask (from system and user config files) and sets it for users accordingly.
from /etc/login.defs:
# the use of pam_umask is recommended as the solution which
# catches all these cases on PAM-enabled systems.
The umask itself should not be set in /etc/pam.
The system's default UMASK remains in /etc/login.defs, setting it in common-account would override login.defs *and* any user specific configs in gecos fields, see man pam_umask.
The option "usergroups" is neccessary to have pam_umask check if the user has a private user group and re-enables appropriate group permission setting for save and easy user collaboration (Info in Bug #252351).
The line needed to call pam_umask in /etc/pam.
session optional pam_umask.so usergroups
(This reflects the settings that are in /etc/login.defs, but have not been working since pam broke it.)
Related branches
summary: |
- pam_umask.so missing in common-session + pam_umask.so missing in common-account |
description: | updated |
description: | updated |
summary: |
- pam_umask.so missing in common-account + pam_umask.so not called in /etc/pam.d/common-session{,-noninteractive} |
Changed in pam (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Medium |
assignee: | Steve Langasek (vorlon) → nobody |
Oh, the problem with the current state is that umask is set all over the place in shell config files, xsessions, and do not work for ssh logins for example.