Ubuntu
pam package

  1. Bug #1957024
  2. Comment #1

Comment 1 for bug 1957024

Revision history for this message
Andrew Lowther (alowther) wrote :

Here is a demonstration as requested in Discourse. These steps were run on a stock image of Ubuntu Impish taken from https://cloud-images.ubuntu.com/impish/current/.

Showing the inconsistent behavior of the default settings if the goal is private home directories. Both adduser and useradd create a home directory that is private but pam_mkhomedir.so does not.

# enable pam_mkhomedir.so configuration
pam-auth-update --enable mkhomedir
# create a user with adduser that creates the home directory
adduser --disabled-password --gecos adduser homemadebyadduser
# create a user with useradd that creates the home directory
useradd --create-home homemadebyuseradd
# create a user with useradd that does *not* create the home directory so that pam_mkhomedir.so can create it
useradd --no-create-home homemadebymkhomedir
# trigger pam_mkhomedir.so to create the home directory
su - homemadebymkhomedir -c exit

The result is inconsistent permissions on the home directories.
root@ubuntu:~# ls -al /home
total 24
drwxr-xr-x 6 root root 4096 Jan 11 03:27 .
drwxr-xr-x 19 root root 4096 Jan 11 03:13 ..
drwxr-x--- 2 homemadebyadduser homemadebyadduser 4096 Jan 11 03:20 homemadebyadduser
drwxr-xr-x 2 homemadebymkhomedir homemadebymkhomedir 4096 Jan 11 03:27 homemadebymkhomedir
drwxr-x--- 2 homemadebyuseradd homemadebyuseradd 4096 Jan 11 03:23 homemadebyuseradd
drwxr-x--- 4 ubuntu ubuntu 4096 Jan 11 03:15 ubuntu

Configuring pam_mkhomedir.so to be consistent with the other tools.

# update pam_mkhomedir.so configuration
sed -i -e "s/pam_mkhomedir.so$/pam_mkhomedir.so umask=0027/" /usr/share/pam-configs/mkhomedir
# enable mkhomedir again
pam-auth-update --enable mkhomedir
# create a user with useradd that does *not* create the home directory so that pam_mkhomedir.so can create it
useradd --no-create-home homemadebymkhomedirpatch
# trigger pam_mkhomedir.so to create the home directory
su - homemadebymkhomedirpatch -c exit

The result is the permissions are consistent with the other tools.
root@ubuntu:~# ls -l /home/
total 20
drwxr-x--- 2 homemadebyadduser homemadebyadduser 4096 Jan 11 03:20 homemadebyadduser
drwxr-xr-x 2 homemadebymkhomedir homemadebymkhomedir 4096 Jan 11 03:27 homemadebymkhomedir
drwxr-x--- 2 homemadebymkhomedirpatch homemadebymkhomedirpatch 4096 Jan 11 03:36 homemadebymkhomedirpatch
drwxr-x--- 2 homemadebyuseradd homemadebyuseradd 4096 Jan 11 03:23 homemadebyuseradd
drwxr-x--- 4 ubuntu ubuntu 4096 Jan 11 03:15 ubuntu