ubuntu-translations-coordinators team mailing list archive

Thread
Date
[Bug 1685754] [NEW] 'systemd --user' unduly forces umask=0022

To: ubuntu-translations-coordinators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1685754@xxxxxxxxxxxxxxxxxx>
Date: Mon, 08 Mar 2021 22:33:57 -0000
Reply-to: Bug 1685754 <1685754@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
*** This bug is a security vulnerability ***

You have been subscribed to a public security bug:

[impact]

pam_umask, from /etc/passwd, is not honored in systemd --user instances

[test case]

on a desktop system, edit /etc/passwd to change the test user entry
(e.g. the 'ubuntu' user) to include 'umask=007' in the GECOS field (5th
field). For example change:

ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash

to:

ubuntu:x:1000:1000:Ubuntu,umask=007:/home/ubuntu:/bin/bash

You may need to reboot for your X session to pick up the change.

Then, from the graphical desktop, open a terminal and run:

$ gnome-terminal -e sh

in the opened terminal, run:

$ umask

the number shown should be 0007, as set in the passwd file

[regression potential]

any regression would likely result in an incorrect umask for the user
whose passwd entry is modified.

[scope]

this is needed only for b

this is fixed in systemd upstream by commit
5e37d1930b41b24c077ce37c6db0e36c745106c7 which was first included in
v246, so this is fixed in g and later. This commit was also picked up by
Debian and included in the v245 release for focal, so this is fixed in
focal already.

[original description]

In order to set the default umask of my users to 027 or 007, I followed
the instructions provided in 'man pam_umask' :

In the 'gecos' field of '/etc/passwd', I have inserted 'umask=027' or
'umask=007' (for myself).

Then, MOST graphical applications systematically run with the correct
umask.

In particular, when I press Alt-F2, run 'xterm sh' and type 'umask', it
systematically displays 0007.

But when I press Alt-F2, run 'gnome-terminal -e sh' and type 'umask', it
systematically displays 0022.

That is BAD, and is a security issue.

Workaround :  Inside the newly created '/etc/profile.d/umask.sh', and in each '~/.bashrc', add following content :
UMASK="$(grep  -o  "^$USER:.*,umask=0[0-7]*"  /etc/passwd)"
if  [ "$UMASK" ];  then
  umask  "${UMASK#$USER:*,umask=}"
fi

In fact, 'gnome-terminal' MUST NOT force umask=022, but keep umask
unchanged.

Thank you in advance for a quick correction.

ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: gnome-terminal 3.20.2-1ubuntu8
ProcVersionSignature: Ubuntu 4.10.0-19.21-generic 4.10.8
Uname: Linux 4.10.0-19-generic x86_64
ApportVersion: 2.20.4-0ubuntu4
Architecture: amd64
CurrentDesktop: X-Cinnamon
Date: Mon Apr 24 08:36:58 2017
InstallationDate: Installed on 2017-03-28 (26 days ago)
InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Beta amd64 (20170321)
SourcePackage: gnome-terminal
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: ubuntu-translations
     Importance: Undecided
         Status: Invalid

** Affects: gnome-session
     Importance: Undecided
         Status: Invalid

** Affects: gnome-terminal
     Importance: Medium
         Status: Confirmed

** Affects: systemd
     Importance: Unknown
         Status: Unknown

** Affects: systemd (Ubuntu)
     Importance: Undecided
         Status: Fix Released

** Affects: systemd (Ubuntu Bionic)
     Importance: Medium
     Assignee: Dan Streetman (ddstreet)
         Status: Fix Committed


** Tags: amd64 apport-bug artful bionic eoan verification-needed verification-needed-bionic zesty
-- 
'systemd --user' unduly forces umask=0022
https://bugs.launchpad.net/bugs/1685754
You received this bug notification because you are a member of Ubuntu Translations Coordinators, which is subscribed to Ubuntu Translations.