pam-mkhomedir does not honor private home directories
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
As reported in https:/
A common situation is to have a central set of users (e.g. in LDAP) and use pam_mkhomedir.so to create the home directory when the user first logs in.
These changes do not cover this situation. The default configuration of pam_mkhomedir.so will result in a home directory created with 0755 permissions.
To make pam_mkhomedir.so create a home directory by default with permissions consistent with the other tools then a umask argument can be added to the pam_mkhomedir.so module in the file /usr/share/
Here is a demonstration as requested in Discourse. These steps were run on a stock image of Ubuntu Impish taken from https:/ /cloud- images. ubuntu. com/impish/ current/.
Showing the inconsistent behavior of the default settings if the goal is private home directories. Both adduser and useradd create a home directory that is private but pam_mkhomedir.so does not.
# enable pam_mkhomedir.so configuration
pam-auth-update --enable mkhomedir
# create a user with adduser that creates the home directory
adduser --disabled-password --gecos adduser homemadebyadduser
# create a user with useradd that creates the home directory
useradd --create-home homemadebyuseradd
# create a user with useradd that does *not* create the home directory so that pam_mkhomedir.so can create it
useradd --no-create-home homemadebymkhomedir
# trigger pam_mkhomedir.so to create the home directory
su - homemadebymkhomedir -c exit
The result is inconsistent permissions on the home directories.
root@ubuntu:~# ls -al /home
total 24
drwxr-xr-x 6 root root 4096 Jan 11 03:27 .
drwxr-xr-x 19 root root 4096 Jan 11 03:13 ..
drwxr-x--- 2 homemadebyadduser homemadebyadduser 4096 Jan 11 03:20 homemadebyadduser
drwxr-xr-x 2 homemadebymkhomedir homemadebymkhomedir 4096 Jan 11 03:27 homemadebymkhomedir
drwxr-x--- 2 homemadebyuseradd homemadebyuseradd 4096 Jan 11 03:23 homemadebyuseradd
drwxr-x--- 4 ubuntu ubuntu 4096 Jan 11 03:15 ubuntu
Configuring pam_mkhomedir.so to be consistent with the other tools.
# update pam_mkhomedir.so configuration mkhomedir. so$/pam_ mkhomedir. so umask=0027/" /usr/share/ pam-configs/ mkhomedir edirpatch edirpatch -c exit
sed -i -e "s/pam_
# enable mkhomedir again
pam-auth-update --enable mkhomedir
# create a user with useradd that does *not* create the home directory so that pam_mkhomedir.so can create it
useradd --no-create-home homemadebymkhom
# trigger pam_mkhomedir.so to create the home directory
su - homemadebymkhom
The result is the permissions are consistent with the other tools. edirpatch homemadebymkhom edirpatch 4096 Jan 11 03:36 homemadebymkhom edirpatch
root@ubuntu:~# ls -l /home/
total 20
drwxr-x--- 2 homemadebyadduser homemadebyadduser 4096 Jan 11 03:20 homemadebyadduser
drwxr-xr-x 2 homemadebymkhomedir homemadebymkhomedir 4096 Jan 11 03:27 homemadebymkhomedir
drwxr-x--- 2 homemadebymkhom
drwxr-x--- 2 homemadebyuseradd homemadebyuseradd 4096 Jan 11 03:23 homemadebyuseradd
drwxr-x--- 4 ubuntu ubuntu 4096 Jan 11 03:15 ubuntu