1412762 – Xsession creation of XDG user directories does not honor system umask policy

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1412762 - Xsession creation of XDG user directories does not honor system umask policy

Summary: Xsession creation of XDG user directories does not honor system umask policy

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	xdg-user-dirs
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Ray Strode [halfline]
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1420851 1479818
TreeView+	depends on / blocked

Reported:	2017-01-12 17:52 UTC by ross tyler
Modified:	2021-06-10 11:49 UTC (History)
CC List:	6 users (show)
Fixed In Version:	xdg-user-dirs-0.15-5.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 15:04:37 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
FreeDesktop.org	102303	0	'medium'	'RESOLVED'	'Wayland support missing'	2019-11-29 12:48:09 UTC
Red Hat Product Errata	RHSA-2018:0842	0	None	None	None	2018-04-10 15:04:53 UTC

Description ross tyler 2017-01-12 17:52:38 UTC

Description of problem:
A graphical login is initiated by the X display manager (e.g. gdm) for a user by running a generic Xsession which eventually executes a concrete session (e.g. gnome-session) in the context of the user's login shell. The umask of the login shell can be managed by script (e.g. /etc/profile) to establish a system policy for user created files. However, Xsession sources xdg-user-dirs.sh before this umask policy is set which results in the creation of XDG user directories that don't honor it.

How reproducible:
Always

Steps to Reproduce:
1. Change umask for normal users from the default (002) to 007 in /etc/profile.
2. Create a new, normal user.
3. Graphically login as this new user.
4. Run "stat -c %a Desktop" in a shell.

Actual results:
755

Expected results:
750

Additional info:

Comment 2 David Sirrine 2017-05-16 19:09:50 UTC

This issue is a CAT II STIG finding for the RHEL 7 STIG. This is causing systems that must maintain STIG to fail the check.

STIG Finding[0]:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Group ID (Vulid): V-71995
Group Title: SRG-OS-000480-GPOS-00228
Rule ID: SV-86619r1_rule
Severity: CAT II
Rule Version (STIG-ID): RHEL-07-020240
Rule Title: The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.


Vulnerability Discussion: Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.


Check Content: 
Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Check for the value of the "UMASK" parameter in "/etc/login.defs" file with the following command:

Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs" file, the Severity is raised to a CAT I.

# grep -i umask /etc/login.defs
UMASK 077

If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.

Fix Text: Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077":

UMASK 077  

CCI: CCI-000366
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[0] http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx

Comment 18 errata-xmlrpc 2018-04-10 15:04:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0842

Note You need to log in before you can comment on or make changes to this bug.