Bug 1412762 - Xsession creation of XDG user directories does not honor system umask policy
Summary: Xsession creation of XDG user directories does not honor system umask policy
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: xdg-user-dirs
Version: 7.2
Hardware: All
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: Ray Strode [halfline]
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks: 1420851 1479818
TreeView+ depends on / blocked
 
Reported: 2017-01-12 17:52 UTC by ross tyler
Modified: 2018-04-10 15:04 UTC (History)
6 users (show)

Fixed In Version: xdg-user-dirs-0.15-5.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 15:04:37 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0842 None None None 2018-04-10 15:04:53 UTC
FreeDesktop.org 102303 None None None 2017-10-05 21:06:49 UTC

Description ross tyler 2017-01-12 17:52:38 UTC
Description of problem:
A graphical login is initiated by the X display manager (e.g. gdm) for a user by running a generic Xsession which eventually executes a concrete session (e.g. gnome-session) in the context of the user's login shell. The umask of the login shell can be managed by script (e.g. /etc/profile) to establish a system policy for user created files. However, Xsession sources xdg-user-dirs.sh before this umask policy is set which results in the creation of XDG user directories that don't honor it.

How reproducible:
Always

Steps to Reproduce:
1. Change umask for normal users from the default (002) to 007 in /etc/profile.
2. Create a new, normal user.
3. Graphically login as this new user.
4. Run "stat -c %a Desktop" in a shell.

Actual results:
755

Expected results:
750

Additional info:

Comment 2 David Sirrine 2017-05-16 19:09:50 UTC
This issue is a CAT II STIG finding for the RHEL 7 STIG. This is causing systems that must maintain STIG to fail the check.

STIG Finding[0]:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Group ID (Vulid): V-71995
Group Title: SRG-OS-000480-GPOS-00228
Rule ID: SV-86619r1_rule
Severity: CAT II
Rule Version (STIG-ID): RHEL-07-020240
Rule Title: The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.


Vulnerability Discussion: Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.


Check Content: 
Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Check for the value of the "UMASK" parameter in "/etc/login.defs" file with the following command:

Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs" file, the Severity is raised to a CAT I.

# grep -i umask /etc/login.defs
UMASK 077

If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.

Fix Text: Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077":

UMASK 077  

CCI: CCI-000366
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[0] http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx

Comment 18 errata-xmlrpc 2018-04-10 15:04:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0842


Note You need to log in before you can comment on or make changes to this bug.