Bug 1123860 - enablemkhomedir uses wrong security mask
Summary: enablemkhomedir uses wrong security mask
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: oddjob
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: Patrik Kis
URL:
Whiteboard:
Depends On:
Blocks: 1150607
TreeView+ depends on / blocked
 
Reported: 2014-07-28 13:40 UTC by Marc Muehlfeld
Modified: 2015-03-05 10:08 UTC (History)
4 users (show)

Fixed In Version: oddjob-0.31.5-4.el7
Doc Type: Bug Fix
Doc Text:
Cause: The default configuration for oddjob's mkhomedir helper specified that a umask of 002 be used when populating a user's home directory. Consequence: Changes to the UMASK setting in the /etc/login.defs configuration file would not be honored. Fix: The oddjob daemon's configuration no longer specifies that a umask value be passed to the mkhomedir helper when it is invoked. Result: The oddjob mkhomedir helper uses a umask value read from the UMASK setting from the /etc/login.defs file.
Clone Of:
: 1150607 (view as bug list)
Environment:
Last Closed: 2015-03-05 10:08:11 UTC


Attachments (Terms of Use)
Error message during login (552.79 KB, application/octet-stream)
2014-09-04 07:44 UTC, Marc Muehlfeld
no flags Details
Error after login (10.01 KB, application/octet-stream)
2014-09-04 07:45 UTC, Marc Muehlfeld
no flags Details
messages and secure log from the login try (2.58 KB, application/octet-stream)
2014-09-04 07:48 UTC, Marc Muehlfeld
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0446 normal SHIPPED_LIVE oddjob bug fix and enhancement update 2015-03-05 14:50:22 UTC

Description Marc Muehlfeld 2014-07-28 13:40:21 UTC
Description of problem:
If enable auto-creation of homes, via e. g.
# authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
then new homes have permission 755, what can cause a security leak.



Version-Release number of selected component (if applicable):
oddjob-mkhomedir-0.31.5-3.el7.x86_64



How reproducible:
Always.



Steps to Reproduce:
- Setup auto home creation (e. g. for users authenticated against AD)
- Login
- home is created with permission 755



Actual results:
home is created with permission 755



Expected results:
home should be created with permission 700 or max. 750


Additional info:
Same bug exists in Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=995097
But it's not fixed there and I opened a new one, to show, that this issue also exists in RHEL7.

Comment 2 Nalin Dahyabhai 2014-09-03 15:09:05 UTC
As in bug #995097, does removing the part of /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf that passes a umask (via a -u parameter) to the helper resolve this?  Because we can absolutely do that.

Comment 3 Marc Muehlfeld 2014-09-04 07:44:59 UTC
Created attachment 934297 [details]
Error message during login

(In reply to Nalin Dahyabhai from comment #2)
> As in bug #995097, does removing the part of
> /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf that passes a umask (via a -u
> parameter) to the helper resolve this?  Because we can absolutely do that.

No.

If I delete this file, there's shown an error for a second after I entered the password. And after the authentication, there's a second error and then I got logged out again (and the home wasn't created).

Comment 4 Marc Muehlfeld 2014-09-04 07:45:17 UTC
Created attachment 934298 [details]
Error after login

Comment 5 Marc Muehlfeld 2014-09-04 07:48:53 UTC
Created attachment 934299 [details]
messages and secure log from the login try

Comment 6 Nalin Dahyabhai 2014-09-04 13:19:50 UTC
(In reply to Marc Muehlfeld from comment #3)
> Created attachment 934297 [details]
> Error message during login
> 
> (In reply to Nalin Dahyabhai from comment #2)
> > As in bug #995097, does removing the part of
> > /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf that passes a umask (via a -u
> > parameter) to the helper resolve this?  Because we can absolutely do that.
> 
> No.
> 
> If I delete this file, there's shown an error for a second after I entered
> the password. And after the authentication, there's a second error and then
> I got logged out again (and the home wasn't created).

I'm sorry I wasn't clearer - I meant removing the -u flag from the configuration for the helper, not the entire file.  The file's contents should change from:
==============================================================================
<?xml version="1.0"?>

<!-- This configuration file snippet controls the oddjob daemon.  It
     provides access to mkhomedir functionality via a service named
     "com.redhat.oddjob_mkhomedir", which exposes a single object
     ("/").
     The object allows the root user to call any of the standard D-Bus
     introspection interface's methods (these are implemented by
     oddjobd itself), and also defines an interface named
     "com.redhat.oddjob_mkhomedir", which provides two methods.  -->

<oddjobconfig>

  <service name="com.redhat.oddjob_mkhomedir">

    <object name="/">

      <interface name="org.freedesktop.DBus.Introspectable">

        <allow min_uid="0" max_uid="0"/>
        <!-- <method name="Introspect"/> -->

      </interface>

      <interface name="com.redhat.oddjob_mkhomedir">

        <method name="mkmyhomedir">
          <helper exec="/usr/libexec/oddjob/mkhomedir -u 0002"
                  arguments="0"
                  prepend_user_name="yes"/>
          <!-- no acl entries -> not allowed for anyone -->
        </method>

        <method name="mkhomedirfor">
          <helper exec="/usr/libexec/oddjob/mkhomedir -u 0002"
                  arguments="1"/>
          <allow user="root"/>
        </method>

      </interface>

    </object>

  </service>

</oddjobconfig>
==============================================================================
to:
==============================================================================
<?xml version="1.0"?>

<!-- This configuration file snippet controls the oddjob daemon.  It
     provides access to mkhomedir functionality via a service named
     "com.redhat.oddjob_mkhomedir", which exposes a single object
     ("/").
     The object allows the root user to call any of the standard D-Bus
     introspection interface's methods (these are implemented by
     oddjobd itself), and also defines an interface named
     "com.redhat.oddjob_mkhomedir", which provides two methods.  -->

<oddjobconfig>

  <service name="com.redhat.oddjob_mkhomedir">

    <object name="/">

      <interface name="org.freedesktop.DBus.Introspectable">

        <allow min_uid="0" max_uid="0"/>
        <!-- <method name="Introspect"/> -->

      </interface>

      <interface name="com.redhat.oddjob_mkhomedir">

        <method name="mkmyhomedir">
          <helper exec="/usr/libexec/oddjob/mkhomedir"
                  arguments="0"
                  prepend_user_name="yes"/>
          <!-- no acl entries -> not allowed for anyone -->
        </method>

        <method name="mkhomedirfor">
          <helper exec="/usr/libexec/oddjob/mkhomedir"
                  arguments="1"/>
          <allow user="root"/>
        </method>

      </interface>

    </object>

  </service>

</oddjobconfig>
==============================================================================

After the change, the <helper> node should no longer be configured to pass a umask value to the helper, allowing it to read the configured value from /etc/login.defs, which by default matches the value you prefer.

Comment 7 Marc Muehlfeld 2014-09-04 13:52:09 UTC
(In reply to Nalin Dahyabhai from comment #6)
> I'm sorry I wasn't clearer - I meant removing the -u flag from the
> configuration for the helper, not the entire file.

Ups. Sorry. :-)


If I remove the '-u 0002', then the created home directory gets permission 700. So this would help.

Comment 8 Nalin Dahyabhai 2014-09-04 15:28:40 UTC
Great!  We'll do that, then.

Comment 12 errata-xmlrpc 2015-03-05 10:08:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0446.html


Note You need to log in before you can comment on or make changes to this bug.