Description of problem: pam_oddjob_mkhomedir does not honour umask while creating home directories. the umask in the original code is processed with atoi() which translates the string in integer base 10; this makes the umask incorrect if it's led by 0. Changing this by strtol() base 8 makes it work as expected. However some checks were added, since strtol() in most of the cases returns 0 if we passed non-integer values, we can result then into a umask(0) which would provide world-wide writable rights to every file created within that home directory. Version-Release number of selected component (if applicable): oddjob-0.27-1 How reproducible: Always. Steps to Reproduce: 1. Create a user testuser 2. echo testuser | /usr/lib/oddjob/mkhomedir -u 0077 3. ls -ld /home/testuser Actual results: % echo testuser | /usr/lib/oddjob/mkhomedir -u 0077 Creating home directory for testuser. % ls -ld /home/testuser drw-r----- 3 testuser testuser 4096 Jun 29 10:54 /home/testuser Expected results: % echo testuser | sudo ./mkhomedir -u 0077 Creating home directory for testuser. % ls -ld /home/testuser drwx------ 3 testuser testuser 4096 Jun 29 10:55 /home/testuser Additional info: With the additional code, since this can also provide data on input stream, we should close pipes before writing. There were two cases I think we should prevent EPIPE, one is the --help, the other one is when the -u umask is not octal string so we abort (with patch applied). To reproduce: With no patch: % echo test | /usr/lib/oddjob/mkhomedir --help That provides Broken Pipe With patch adds another one (fixed): % echo test | /usr/lib/oddjob/mkhomedir -u not_an_octal_string Let me know if you need more infos.
Created attachment 158482 [details] epipe_octals
I think that ignoring SIGPIPE in oddjobd so that its calls to write() return with an EPIPE error would be preferable. The strtol() function already returns an error if the data passed to it isn't a number of some kind, so calling it directly should be fine. Doing that for 0.29.
Created attachment 281471 [details] current proposed patch
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0021.html