diff --git a/srcpkgs/shadow/files/login.defs b/srcpkgs/shadow/files/login.defs index 1daa67b4dd0..350764846af 100644 --- a/srcpkgs/shadow/files/login.defs +++ b/srcpkgs/shadow/files/login.defs @@ -74,7 +74,8 @@ TTYPERM 0600 # ERASECHAR 0177 KILLCHAR 025 -UMASK 077 +UMASK 022 +HOME_MODE 0700 # Max number of login retries if password is bad # diff --git a/srcpkgs/shadow/patches/home-mode.patch b/srcpkgs/shadow/patches/home-mode.patch new file mode 100644 index 00000000000..09d4459e4bd --- /dev/null +++ b/srcpkgs/shadow/patches/home-mode.patch @@ -0,0 +1,242 @@ +From 085d04c3ddfb817ba5f13269b604384c260be84f Mon Sep 17 00:00:00 2001 +From: Duncan Overbruck +Date: Sat, 11 Jan 2020 22:19:37 +0100 +Subject: [PATCH] add new HOME_MODE login.defs(5) option + +This option can be used to set a separate mode for useradd(8) and +newusers(8) to create the home directories with. +If this option is not set, the current behavior of using UMASK +or the default umask is preserved. + +There are many distributions that set UMASK to 077 by default just +to create home directories not readable by others and use things like +/etc/profile, bashrc or sudo configuration files to set a less +restrictive +umask. This has always resulted in bug reports because it is hard +to follow as users tend to change files like bashrc and are not about +setting the umask to counteract the umask set in /etc/login.defs. + +A recent change in sudo has also resulted in many bug reports about +this. sudo now tries to respect the umask set by pam modules and on +systems where pam does not set a umask, the login.defs UMASK value is +used. +--- + etc/login.defs | 7 +++++- + lib/getdef.c | 1 + + man/login.defs.5.xml | 4 ++++ + man/login.defs.d/HOME_MODE.xml | 43 ++++++++++++++++++++++++++++++++++ + man/login.defs.d/UMASK.xml | 3 ++- + man/newusers.8.xml | 2 ++ + man/useradd.8.xml | 2 ++ + src/newusers.c | 6 ++--- + src/useradd.c | 5 ++-- + 9 files changed, 66 insertions(+), 7 deletions(-) + create mode 100644 man/login.defs.d/HOME_MODE.xml + +diff --git a/etc/login.defs b/etc/login.defs +index cd2597dc..a2f8cd50 100644 +--- etc/login.defs ++++ etc/login.defs +@@ -195,12 +195,17 @@ KILLCHAR 025 + # Default initial "umask" value used by login(1) on non-PAM enabled systems. + # Default "umask" value for pam_umask(8) on PAM enabled systems. + # UMASK is also used by useradd(8) and newusers(8) to set the mode for new +-# home directories. ++# home directories if HOME_MODE is not set. + # 022 is the default value, but 027, or even 077, could be considered + # for increased privacy. There is no One True Answer here: each sysadmin + # must make up their mind. + UMASK 022 + ++# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new ++# home directories. ++# If HOME_MODE is not set, the value of UMASK is used to create the mode. ++#HOME_MODE 0700 ++ + # + # Password aging controls: + # +diff --git a/lib/getdef.c b/lib/getdef.c +index bbb273f4..00f6abfe 100644 +--- lib/getdef.c ++++ lib/getdef.c +@@ -93,6 +93,7 @@ static struct itemdef def_table[] = { + {"FAKE_SHELL", NULL}, + {"GID_MAX", NULL}, + {"GID_MIN", NULL}, ++ {"HOME_MODE", NULL}, + {"HUSHLOGIN_FILE", NULL}, + {"KILLCHAR", NULL}, + {"LASTLOG_UID_MAX", NULL}, +diff --git a/man/login.defs.5.xml b/man/login.defs.5.xml +index ebf60ba3..9e95da20 100644 +--- man/login.defs.5.xml ++++ man/login.defs.5.xml +@@ -50,6 +50,7 @@ + + + ++ + + + +@@ -185,6 +186,7 @@ + &FAKE_SHELL; + &FTMP_FILE; + &GID_MAX; ++ &HOME_MODE; + &HUSHLOGIN_FILE; + &ISSUE_FILE; + &KILLCHAR; +@@ -401,6 +403,7 @@ + ENCRYPT_METHOD + GID_MAX GID_MIN + MAX_MEMBERS_PER_GROUP MD5_CRYPT_ENAB ++ HOME_MODE + PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE + SHA_CRYPT_MAX_ROUNDS + SHA_CRYPT_MIN_ROUNDS +@@ -481,6 +484,7 @@ + + CREATE_HOME + GID_MAX GID_MIN ++ HOME_MODE + LASTLOG_UID_MAX + MAIL_DIR MAX_MEMBERS_PER_GROUP + PASS_MAX_DAYS PASS_MIN_DAYS PASS_WARN_AGE +diff --git a/man/login.defs.d/HOME_MODE.xml b/man/login.defs.d/HOME_MODE.xml +new file mode 100644 +index 00000000..21aa55f7 +--- /dev/null ++++ man/login.defs.d/HOME_MODE.xml +@@ -0,0 +1,43 @@ ++ ++ ++ (number) ++ ++ ++ The mode for new home directories. If not specified, ++ the is used to create the mode. ++ ++ ++ useradd and newusers use this ++ to set the mode of the home directory they create. ++ ++ ++ +diff --git a/man/login.defs.d/UMASK.xml b/man/login.defs.d/UMASK.xml +index d7b71a5e..0f061dbb 100644 +--- man/login.defs.d/UMASK.xml ++++ man/login.defs.d/UMASK.xml +@@ -37,7 +37,8 @@ + + + useradd and newusers use this +- mask to set the mode of the home directory they create ++ mask to set the mode of the home directory they create if ++ is not set. + + + It is also used by login to define users' initial +diff --git a/man/newusers.8.xml b/man/newusers.8.xml +index a1029a27..13307cc1 100644 +--- man/newusers.8.xml ++++ man/newusers.8.xml +@@ -32,6 +32,7 @@ + "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ + + ++ + + + +@@ -382,6 +383,7 @@ + + + &GID_MAX; ++ &HOME_MODE; + &MAX_MEMBERS_PER_GROUP; + + +diff --git a/man/useradd.8.xml b/man/useradd.8.xml +index a16d7307..03612ce8 100644 +--- man/useradd.8.xml ++++ man/useradd.8.xml +@@ -32,6 +32,7 @@ + "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ + + ++ + + + +@@ -681,6 +682,7 @@ + + &CREATE_HOME; + &GID_MAX; ++ &HOME_MODE; + &LASTLOG_UID_MAX; + &MAIL_DIR; + &MAX_MEMBERS_PER_GROUP; +diff --git a/src/newusers.c b/src/newusers.c +index 99c69f78..e9fe0e27 100644 +--- src/newusers.c ++++ src/newusers.c +@@ -1216,9 +1216,9 @@ int main (int argc, char **argv) + if ( ('\0' != fields[5][0]) + && (access (newpw.pw_dir, F_OK) != 0)) { + /* FIXME: should check for directory */ +- mode_t msk = 0777 & ~getdef_num ("UMASK", +- GETDEF_DEFAULT_UMASK); +- if (mkdir (newpw.pw_dir, msk) != 0) { ++ mode_t mode = getdef_num ("HOME_MODE", ++ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); ++ if (mkdir (newpw.pw_dir, mode) != 0) { + fprintf (stderr, + _("%s: line %d: mkdir %s failed: %s\n"), + Prog, line, newpw.pw_dir, +diff --git a/src/useradd.c b/src/useradd.c +index 62e57a4f..c29ae949 100644 +--- src/useradd.c ++++ src/useradd.c +@@ -2155,8 +2155,9 @@ static void create_home (void) + } + + (void) chown (prefix_user_home, user_id, user_gid); +- chmod (prefix_user_home, +- 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); ++ mode_t mode = getdef_num ("HOME_MODE", ++ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK)); ++ chmod (prefix_user_home, mode); + home_added = true; + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, diff --git a/srcpkgs/shadow/template b/srcpkgs/shadow/template index 64b1bdad8a6..f2f4d3e97b0 100644 --- a/srcpkgs/shadow/template +++ b/srcpkgs/shadow/template @@ -1,12 +1,12 @@ # Template file for 'shadow' pkgname=shadow version=4.8 -revision=2 +revision=3 build_style=gnu-configure configure_args="--enable-shared --disable-static --with-libpam --without-selinux --with-acl --with-attr --disable-nls --enable-subordinate-ids --disable-account-tools-setuid" -hostmakedepends="automake gettext-devel libtool" +hostmakedepends="automake gettext-devel libtool xz" makedepends="acl-devel pam-devel" depends="pam" short_desc="Shadow password file utilities"