When performing install audits, I noticed that /run/motd had the following permissions:
$ ls -l /run/motd
-rw-rw-r-- 1 root root 198 2011-10-10 13:20 /run/motd
TEST CASE:
1. login
2. sudo chmod 644 /run/motd
3. Check the permissions of /run/motd. Eg:
$ ls -l /run/motd
-rw-r--r-- 1 root root 198 2011-10-10 13:20 /run/motd
4. login via ssh
5. Check the permissions of /run/motd. Eg:
$ ls -l /run/motd
-rw-rw-r-- 1 root root 198 2011-10-10 13:38 /run/motd
So, this happens on ssh logins and not console logins because pam_motd in console logins is earlier in the stack (before common-session, which has pam_umask in it). With ssh logins, pam_motd is after common-session.
This does not seem to be a security issue as the umask has to be adjusted via /etc/login.defs; however the side-effect is undesirable. While we could adjust the stacking, it seems a reasonable hardening measure would be for pam_motd to explicitly set its umask.
When performing install audits, I noticed that /run/motd had the following permissions:
$ ls -l /run/motd
-rw-rw-r-- 1 root root 198 2011-10-10 13:20 /run/motd
I found this odd and remembered https:/ /blueprints. launchpad. net/ubuntu/ +spec/umask- to-0002. While /etc/init/ mounted- run.conf creates this initially on reboot, it turns out that the permissions are changed on login, via pam_motd.
TEST CASE:
1. login
2. sudo chmod 644 /run/motd
3. Check the permissions of /run/motd. Eg:
$ ls -l /run/motd
-rw-r--r-- 1 root root 198 2011-10-10 13:20 /run/motd
4. login via ssh
5. Check the permissions of /run/motd. Eg:
$ ls -l /run/motd
-rw-rw-r-- 1 root root 198 2011-10-10 13:38 /run/motd
So, this happens on ssh logins and not console logins because pam_motd in console logins is earlier in the stack (before common-session, which has pam_umask in it). With ssh logins, pam_motd is after common-session.
This does not seem to be a security issue as the umask has to be adjusted via /etc/login.defs; however the side-effect is undesirable. While we could adjust the stacking, it seems a reasonable hardening measure would be for pam_motd to explicitly set its umask.