Bug 1886362
| Summary: | oddjob-mkhomedir - homedir has a wrong permissions | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Filip Dvorak <fdvorak> | |
| Component: | oddjob | Assignee: | Alexander Bokovoy <abokovoy> | |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 8.3 | CC: | abokovoy, ksiddiqu, lmiksik, rcritten | |
| Target Milestone: | rc | Keywords: | Regression | |
| Target Release: | 8.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | oddjob-0.34.5-3.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1886433 (view as bug list) | Environment: | ||
| Last Closed: | 2020-11-04 03:01:07 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1886433 | |||
|
Description
Filip Dvorak
2020-10-08 09:39:59 UTC
Filip, oddjob does not own PAM configuration.
The configuration for mkhomedir is part of authselect SSSD profile.
# fgrep mkhomedir /usr/share/authselect/default/sssd/system-auth
session optional pam_oddjob_mkhomedir.so umask=0077 {include if "with-mkhomedir"}
However, pam_oddjob_mkhomedir.so does not take any options, so specifying umask there is not going to affect actual umask used, as explained in the module's manual page:
The location of the skeleton directory and the default umask are determined by the configuration for the corresponding service in oddjobd-mkhomedir.conf, so they can not be specified as arguments to this module.
This is actually not full story because mkhomedir helper does not read any umask parameters from oddjobd-mkhomedir.conf but instead accepts command line options (which are unused in this workflow) or reads default umask value from /etc/login.defs.
/etc/login.defs has
UMASK 022
by default. This file is owned by shadow-utils and it recently changed default UMASK value from 0077 to 022:
http://pkgs.devel.redhat.com/cgit/rpms/shadow-utils/commit/?h=rhel-8.3.0&id=345e1be7cd68e2e6c541692d2e3ce8e23931a0f8
This explains your results.
The change is due to https://bugzilla.redhat.com/show_bug.cgi?id=1777718 which requested UMASK to revert back to (less secure) 022 to be compatible with RHEL 7.
Apparently, shadow-utils changed meaning of UMASK and introduced HOME_MODE instead for home directories. However, nobody informed oddjob that HOME_MODE needs to be read. This means current configuration is broken. Upstream pull request: https://pagure.io/oddjob/pull-request/12 Unrelated to this bug, I added https://github.com/authselect/authselect/issues/223 to authselect as it erroneously adds umask=.. line to PAM configuration. As explained in the man page for pam_oddjob_mkhomedir.so, it does not accept any option. Merged upstream. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: oddjob security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4687 |