Bug 447430 - gdm greeter can't read .face files in home directories created by useradd
gdm greeter can't read .face files in home directories created by useradd
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: gdm (Show other bugs)
11
All Linux
low Severity low
: ---
: ---
Assigned To: jmccann
Fedora Extras Quality Assurance
:
: 452074 473539 476760 487920 (view as bug list)
Depends On:
Blocks: F10Target F10DesktopTarget
  Show dependency treegraph
 
Reported: 2008-05-19 17:32 EDT by Andreas Loening
Modified: 2015-01-14 18:21 EST (History)
27 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-13 14:42:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Andreas Loening 2008-05-19 17:32:12 EDT
The .face file, used to store the user-pickable icon used by the
fast-user-switching capplet and gdm, cannot be seen be these programs as both
useradd and luseradd create home directories with permission 0700 instead of 0711.

This bug was noticed on a fresh install of fedora 9. I have not tested this on
previous versions.
Comment 1 Marco Hartgring 2008-05-21 05:08:56 EDT
This could also be issue with selinux. I noticed this behaviour by accident
after having turned selinux to permissive to test something on my system.

selinux enforcing shows no face icon
selinux permissive shows the face icon
Comment 2 Robert Marcano 2008-05-22 15:08:18 EDT
after running "setenforce 0" and restarting GDM, still It does not display the
face icon. Home directory permission is 0700 as always has been (Fedora 8 GDM
shows the icon) so this does not look like selinux related or file permission
problems, at least on my installation
Comment 3 Per Thomas Jahr 2008-05-22 16:19:29 EDT
I also had problems with faces not showing up. Changed permission to 0711 for 
the accounts on my box and now it works.
Comment 4 Srinath Madhavan 2008-05-22 20:04:44 EDT
Is changing the permission to 0711 the acceptable fix for this bug?
Comment 5 Ray Strode [halfline] 2008-05-23 15:24:53 EDT
yea, useradd should create dirs with 0711, I think.  Not doing so breaks faces,
public_html directories, and other things. 

Reassigning.
Comment 6 Robert Marcano 2008-05-23 15:30:29 EDT
but why my Fedora 8 has this home directory?

drwx------ 90 robert   robert   4096 2008-05-23 14:50 robert

and the .faces file works on the old GDM (and I always have SELinux enabled)
Comment 7 Robert Marcano 2008-05-23 15:44:17 EDT
Do not set your home directory to 711, that is a big security error, any user
will be able to read your files there if they know the name, they will not be
able to list them since the directory is not readable, but all files by a normal
user are created 664 by default
Comment 8 Ray Strode [halfline] 2008-05-23 15:56:39 EDT
The GDM in F8 would read the faces as root from the daemon and tunnel the raw
image data through a socket to the login screen (which runs as user gdm).
 
We don't do that in F9.

0711 versus 0700 is a trade off.  Note, though that the sensitive things that
have well known names (like private ssh keys, etc) are already locked down on
there own, and user files aren't listable with 0711.
Comment 9 Robert Marcano 2008-05-23 16:04:07 EDT
well I consider even my .bash_profile something sensitive
Comment 10 Robert Marcano 2008-05-23 16:07:14 EDT
Oops forgot to say this, I think something with PolicyKit must be done at the
GDM level to allow access to read those files, but setting home directories to
0711 is not acceptable in my opinion
Comment 11 Tomas Mraz 2008-05-23 16:23:48 EDT
I agree that the default should stay 0700 as is.
Comment 12 Ray Strode [halfline] 2008-05-23 16:39:24 EDT
Okay, i've been out voted, moving back to gdm
Comment 13 Srinath Madhavan 2008-05-28 18:11:40 EDT
Is there any word on whether this bug has a temporary/permanent fix?
Comment 14 Ray Strode [halfline] 2008-06-05 09:57:37 EDT
Presuming you don't mind the looser permissions, comment 3 is a reasonable
workaround.
Comment 15 Stuart D Gathman 2008-07-24 19:54:55 EDT
A long term fix is to create a sticky directory (like tmp) as /var/lib/faces or
whatever.  Users (and their program agents) can put their face icons in there. 
Perhaps there should be a sticky /var/lib/user-options with a globally readable
directory for each user.  If $HOME should be accessible to the user only, then
there needs to be some other globally readable directory for such configs. 
(.face is similar in purpose to the old .plan and .project).  It makes just as
much sense for users to set their umask to 007 or 077 and let $HOME be globally
readable.  But whichever way you do it, there needs to be a per user globally
readable directory.
Comment 16 Sergio Pascual 2008-10-09 09:34:44 EDT
The same behavior in F10-beta
Comment 17 John Poelstra 2008-10-15 17:30:17 EDT
This bug has been triaged
Comment 18 Ray Strode [halfline] 2008-10-29 12:59:05 EDT
*** Bug 452074 has been marked as a duplicate of this bug. ***
Comment 19 Bug Zapper 2008-11-25 21:17:48 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 20 Ray Strode [halfline] 2008-12-01 16:40:16 EST
*** Bug 473539 has been marked as a duplicate of this bug. ***
Comment 21 Martin Ebourne 2008-12-11 16:34:55 EST
A better temporary workaround is 
  setfacl -m group:gdm:x ~

This at least only gives access to the gdm user.
Comment 22 Sergio Pascual 2009-05-01 18:14:13 EDT
Still broken in fedora 11 preview, with gdm-2.26.1-4
Comment 23 Jon Dufresne 2009-05-27 11:07:03 EDT
*** Bug 487920 has been marked as a duplicate of this bug. ***
Comment 24 Jon Dufresne 2009-05-27 11:08:52 EDT
Bumping version as this is still a bug.
Comment 25 Bug Zapper 2009-06-09 05:34:48 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 26 Eric Tanguy 2009-06-27 10:27:43 EDT
Still broken in fedora 11 final, with gdm-2.26.1-10
Comment 27 Michael Monreal 2009-06-27 10:32:32 EDT
(In reply to comment #26)
> Still broken in fedora 11 final, with gdm-2.26.1-10  

True.

ALSO: I successfully tried the "setfacl -m group:gdm:x ~" workaround on my laptop (which has been updated to F11-current from some of the betas. Yesterday I tried the same thing on my GF's laptop (F11 installed from final live CD) and I get

setfacl: /home/celesta: Die Operation wird nicht unterstützt
(-> operation is not supported)

and I really wonder why?
Comment 28 Martin Ebourne 2009-06-27 13:38:05 EDT
(In reply to comment #27)
> setfacl: /home/celesta: Die Operation wird nicht unterstützt
> (-> operation is not supported)
> 
> and I really wonder why?  

Sounds like acls are not enabled on that filesystem.

For ext3/4 you can change it on the filesystem directly:
  tune2fs -o acl PATH-TO-FILESYSTEM-DEVICE

Or you can mount with -o acl (eg. in fstab).
Comment 29 Michael Monreal 2009-06-27 13:57:35 EDT
(In reply to comment #28)
> Sounds like acls are not enabled on that filesystem.

I was wondering about that myself but can't check until in a few days. This is getting offtopic, but does anyone know if ACLs are supposed to be _off_ on a new F11 installation? If not there is another bug...
Comment 30 Matt Castelein 2009-07-06 10:01:42 EDT
*** Bug 476760 has been marked as a duplicate of this bug. ***
Comment 31 Trevin Beattie 2009-07-09 21:12:46 EDT
This is very perplexing to me.  My own account, which I created when I installed Fedora 10, shows my custom face; but my roommate's account which was created just recently does not show his.  I've tried setting the file permissions on our home directories exactly the same (701) and it makes no difference.  I am not using SELinux or ACL's.

The only thing I can think of is that gdm must be looking for the face icon somewhere other than ~/.face.
Comment 32 Michel Alexandre Salim 2009-08-24 08:25:35 EDT
Any plan to fix this by default for F12?
Comment 33 Richard Schwarting 2009-10-10 16:59:34 EDT
Couldn't it just copy the image set in About Me to /var/gdb/faces/<username>?
Comment 34 Richard Schwarting 2009-10-10 17:13:05 EDT
Er, gdm/, not gdb/
Comment 35 Ray Strode [halfline] 2009-10-13 14:42:39 EDT
Yea this got fixed for 2.28 which will be in F-12.
Comment 36 Nicola Soranzo 2009-10-14 04:15:44 EDT
CLOSED CURRENTRELEASE is not used by Fedora, see:

http://fedoraproject.org/wiki/BugZappers/BugStatusWorkFlow

Since I think this will not be backported, I changed the resolution to NEXTRELEASE.

Greetings

---

Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 37 Richard Schwarting 2009-10-14 04:18:57 EDT
Thanks to both of you.
Comment 38 Dimitri Papadopoulos 2010-11-06 10:27:05 EDT
The problem is still there in Fedora 14.

Note that /home has not been formatted and the home dirs have not ben created while installing Fedora 14.
Comment 39 Richard Shaw 2010-12-06 17:36:44 EST
I'm not sure it's the same problem. I su'd to gdm and I could access the .face file for my normal login.

# su -l -s /bin/bash gdm
# less /home/<user>/.face

It's a binary file but it did open...
Comment 40 Rich Boyce 2011-01-19 11:38:37 EST
I'm seeing this too, with F14. The home area permissions are drwx--x--x, no ACL, SELinux set to Permissive. Permissions on ~/.face are -rw-r--r-- and, as in Richard Shaw's case, the gdm user certainly can access the user's ~/.face file.
Comment 41 Jonas Kulla 2011-11-23 13:38:48 EST
I encountered the same problem in F15... and after 5 months, I just found out about the work-around =/

Note You need to log in before you can comment on or make changes to this bug.