Comment 0 for bug 871943

When performing install audits, I noticed that /run/motd had the following permissions:
$ ls -l /run/motd
-rw-rw-r-- 1 root root 198 2011-10-10 13:20 /run/motd

I found this odd and remembered https://blueprints.launchpad.net/ubuntu/+spec/umask-to-0002. While /etc/init/mounted-run.conf creates this initially on reboot, it turns out that the permissions are changed on login, via pam_motd.

TEST CASE:
1. login
2. sudo chmod 644 /run/motd
3. Check the permissions of /run/motd. Eg:
$ ls -l /run/motd
-rw-r--r-- 1 root root 198 2011-10-10 13:20 /run/motd
4. login via ssh
5. Check the permissions of /run/motd. Eg:
$ ls -l /run/motd
-rw-rw-r-- 1 root root 198 2011-10-10 13:38 /run/motd

So, this happens on ssh logins and not console logins because pam_motd in console logins is earlier in the stack (before common-session, which has pam_umask in it). With ssh logins, pam_motd is after common-session.

This does not seem to be a security issue as the umask has to be adjusted via /etc/login.defs; however the side-effect is undesirable. While we could adjust the stacking, it seems a reasonable hardening measure would be for pam_motd to explicitly set its umask.