Bug 1412762

Summary: Xsession creation of XDG user directories does not honor system umask policy
Product: Red Hat Enterprise Linux 7 Reporter: ross tyler <retyler>
Component: xdg-user-dirsAssignee: Ray Strode [halfline] <rstrode>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.2CC: dmoppert, dsirrine, fweimer, mclasen, rstrode, tpelka
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: xdg-user-dirs-0.15-5.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 15:04:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1420851, 1479818    

Description ross tyler 2017-01-12 17:52:38 UTC
Description of problem:
A graphical login is initiated by the X display manager (e.g. gdm) for a user by running a generic Xsession which eventually executes a concrete session (e.g. gnome-session) in the context of the user's login shell. The umask of the login shell can be managed by script (e.g. /etc/profile) to establish a system policy for user created files. However, Xsession sources xdg-user-dirs.sh before this umask policy is set which results in the creation of XDG user directories that don't honor it.

How reproducible:
Always

Steps to Reproduce:
1. Change umask for normal users from the default (002) to 007 in /etc/profile.
2. Create a new, normal user.
3. Graphically login as this new user.
4. Run "stat -c %a Desktop" in a shell.

Actual results:
755

Expected results:
750

Additional info:

Comment 2 David Sirrine 2017-05-16 19:09:50 UTC
This issue is a CAT II STIG finding for the RHEL 7 STIG. This is causing systems that must maintain STIG to fail the check.

STIG Finding[0]:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Group ID (Vulid): V-71995
Group Title: SRG-OS-000480-GPOS-00228
Rule ID: SV-86619r1_rule
Severity: CAT II
Rule Version (STIG-ID): RHEL-07-020240
Rule Title: The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.


Vulnerability Discussion: Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.


Check Content: 
Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Check for the value of the "UMASK" parameter in "/etc/login.defs" file with the following command:

Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs" file, the Severity is raised to a CAT I.

# grep -i umask /etc/login.defs
UMASK 077

If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.

Fix Text: Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077":

UMASK 077  

CCI: CCI-000366
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[0] http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx

Comment 18 errata-xmlrpc 2018-04-10 15:04:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0842