Description of problem:
A graphical login is initiated by the X display manager (e.g. gdm) for a user by running a generic Xsession which eventually executes a concrete session (e.g. gnome-session) in the context of the user's login shell. The umask of the login shell can be managed by script (e.g. /etc/profile) to establish a system policy for user created files. However, Xsession sources xdg-user-dirs.sh before this umask policy is set which results in the creation of XDG user directories that don't honor it.
Steps to Reproduce:
1. Change umask for normal users from the default (002) to 007 in /etc/profile.
2. Create a new, normal user.
3. Graphically login as this new user.
4. Run "stat -c %a Desktop" in a shell.
This issue is a CAT II STIG finding for the RHEL 7 STIG. This is causing systems that must maintain STIG to fail the check.
Group ID (Vulid): V-71995
Group Title: SRG-OS-000480-GPOS-00228
Rule ID: SV-86619r1_rule
Severity: CAT II
Rule Version (STIG-ID): RHEL-07-020240
Rule Title: The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
Vulnerability Discussion: Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.
Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files.
Check for the value of the "UMASK" parameter in "/etc/login.defs" file with the following command:
Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs" file, the Severity is raised to a CAT I.
# grep -i umask /etc/login.defs
If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.
Fix Text: Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077":
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.