Arch Linux

dawnofman

Member

Registered: 2019-07-26

Posts: 140

[solved] how to set UMASK in /etc/passwd GECOS field ?

I want to set default UMASKs for specific system/normal users.

My first attempt was with:

useradd --comment='John Doe' --key='UMASK=077' someone;

This produces a GECOS field in /etc/passwd as following: 'John Doe' which is OK. I understand the GECOS field is a comma-delimited set of values for the name in the first place (which in my case is right) followed by building and room number and office and home phone numbers (a set of standard attributes) which I did not specify since I don't care about those.

Reading the man page for useradd: it explains that using --key='UMASK=###' is solely intended for the home user directory creation and this is also working as expected in my case.

Reading the man page for pam_umask: it explains that upon login the UMASK is to be set as following:

The PAM module tries to get the umask value from the following places in the following order:

•umask= entry in the user's GECOS field
•umask= argument
•UMASK entry from /etc/login.defs
•UMASK= entry from /etc/default/login

I am aware of chfn to change the GECOS field but the man page doesn't say anything other than the standard contact attributes.

What I am not able to discern is how to change the GECOS field for (non-standard/extended/whatever) attributes like UMASK in the first place; even more, I know I can edit /etc/passwd directly (which is not good practice after all) but even then I don't know the order/format for the other fields.

I also know that I can override the default system-wide UMASK in /etc/login.defs, that I can also place a default UMASK with umask in /etc/bash.bashrc, and that I can also place code in /etc/profile to set a specific UMASK matching the user logging in (I am currently doing this), but the method that seems correct is that the UMASK should be placed along the user properties; ie: in /etc/passwd

A while ago I was evaluating a BSD installation and I did find the best approach to handle this was with login classes (wich linux doesn't have; although I know I have to research cgroups which seems to be something like the analog to cgroups or so I guess).

FIX/SOLUTION (edited on 2019-08-08):

To set a default UMASK on a per-user basis no-matter-what-shell-login-they-are-using and being able to clean-up the shell initialization scripts (eg: /etc/bash.bashrc, /etc/profile, ...) in the process:

• UMASK should go as the 5th attribute on the so-called GECOS field in /etc/passwd in the following form: 'name,,,,UMASK=###' where ### is the intended UMASK to set; eg: 077 ... on arch-linux (as on other distros) the GECOS field can be changed with chfn; however on arch we lack the --other switch to modifiy anything beyond the 4th attribute; so we can:

  • manually edit /etc/passwd (do not forget to execute pwck to verify the file integrity afterwards)

  • useradd/usermod --comment='somebody,,,,UMASK=###'; ... both work and set everything in the GECOS field at once; it is all or nothing (I previously mentioned this did not work; I was wrong)

• adding this per-user default UMASK to /etc/passwd does not imply that it will be automatically used: the feature that makes this happen is the pam_umask module in the PAM stack which can be enabled adding the following line (at the bottom of the existing file) /etc/pam.d/login: session optional pam_umask.so ... advice: be extremely careful when modifying anything PAM-related; you can be locked-out of the system quite easily

The above mechanism works flawlessly, and, the best part is getting rid of the many conditional statements usually present on the shell initialization scripts to set default behavior on a per-user basis, which it is good since these files are for system-wide settings after all.

Have in mind that setting a default UMASK for any given user does not prevent the user to change it upon login (with the umask command) !

Of related interest: the pam_env module can be used to set system-wide variables too.

And thanks everyone for pointing me the right way !

Last edited by dawnofman (2019-08-08 17:52:46)

loqs

Member

Registered: 2014-03-06

Posts: 17,369

Re: [solved] how to set UMASK in /etc/passwd GECOS field ?

Have you tried creating something similar to

useradd --comment='umask=077' someone;

dawnofman

Member

Registered: 2019-07-26

Posts: 140

Re: [solved] how to set UMASK in /etc/passwd GECOS field ?

Have you tried creating something similar to

useradd --comment='umask=077' someone;

No, because I did not know the order of the attributes other than the standard ones. I'll give it a try.

dawnofman

Member

Registered: 2019-07-26

Posts: 140

Re: [solved] how to set UMASK in /etc/passwd GECOS field ?

Have you tried creating something similar to

useradd --comment='umask=077' someone;

Did not work:

usermod --comments='John Doe,UMASK=077' someone;

/etc/passwd now has: 'John Doe,UMASK=077'

login/logout ... umask ... 022

dawnofman

Member

Registered: 2019-07-26

Posts: 140

Re: [solved] how to set UMASK in /etc/passwd GECOS field ?

Have you tried creating something similar to

useradd --comment='umask=077' someone;

I did find references in the net to:

chfn [-f full_name] [-r room_no] [-w work_ph] [-h home_ph] [-o other] [user]

But arch-linux's chfn lacks the -o (other) switch which seemed interesting.

dawnofman

Member

Registered: 2019-07-26

Posts: 140

Re: [solved] how to set UMASK in /etc/passwd GECOS field ?

Have you tried creating something similar to

useradd --comment='umask=077' someone;

The following seems to be the way of achieving this; quoting from chfn man page of another distro:

-o, --other OTHER
           Change the user's other GECOS information. This field is used to store accounting information used by other applications, and can be
           changed only by a superuser.

Quoting using GECOS & PAM for custom umask settings :

... we use the GECOS field in the passwd file for the user, as mentioned in the ‘man page’ for pam_umask ...

chfn -o "umask=0002" username

loqs

Member

Registered: 2014-03-06

Posts: 17,369

Re: [solved] how to set UMASK in /etc/passwd GECOS field ?

chfn --other
chfn: unrecognized option '--other'
Try 'chfn --help' for more information.

Distribution specific patch?
Edit:
Set it using usermod --comment instead?

Last edited by loqs (2019-08-05 17:56:39)

dawnofman

Member

Registered: 2019-07-26

Posts: 140

Re: [solved] how to set UMASK in /etc/passwd GECOS field ?

chfn --other
chfn: unrecognized option '--other'
Try 'chfn --help' for more information.

Distribution specific patch?
Edit:
Set it using usermod --comment instead?

didn't work neither with usermod nor editing /etc/passwd directly

non-arch chfn; exactly:

But arch-linux's chfn lacks the -o (other) switch which seemed interesting.

loqs

Member

Registered: 2014-03-06

Posts: 17,369

Re: [solved] how to set UMASK in /etc/passwd GECOS field ?

Where in the pam stack have you added pam_umask?  If you add the debug option to pam_umask is the debug information recorded?
If you add the umask option to pam_umask does that work?  What is the passwd entry you are testing?
Edit:
Also have you disabled the umask call in /etc/profile?

Last edited by loqs (2019-08-05 18:52:13)

dawnofman

Member

Registered: 2019-07-26

Posts: 140

Re: [solved] how to set UMASK in /etc/passwd GECOS field ?

Where in the pam stack have you added pam_umask?

I didn't !

Ain't PAM running by default on arch-linux ?

What is the passwd entry you are testing?

custom common users: UID >= 1000
custom system users: UID >= 100

Also have you disabled the umask call in /etc/profile?

Of course; nothing in my profiles is changing the default UMASK.

loqs

Member

Registered: 2014-03-06

Posts: 17,369

Re: [solved] how to set UMASK in /etc/passwd GECOS field ?

The default pam stack does not contain pam_umask.

grep -r umask /etc/pam.d/

See PAM and /etc/pam.d

Last edited by loqs (2019-08-05 19:46:13)

dawnofman

Member

Registered: 2019-07-26

Posts: 140

Re: [solved] how to set UMASK in /etc/passwd GECOS field ?

Thanks loqs !

The default pam stack does not contain pam_umask.

Didn't knew ... reading the PAM pages now.

loqs

Member

Registered: 2014-03-06

Posts: 17,369

Re: [solved] how to set UMASK in /etc/passwd GECOS field ?

As you mention system users are you expecting this to apply to system services as started by systemd?

dawnofman

Member

Registered: 2019-07-26

Posts: 140

Re: [solved] how to set UMASK in /etc/passwd GECOS field ?

As you mention system users are you expecting this to apply to system services as started by systemd?

Not sure yet, but possibly. I suppose you did mention it by the fact that now there's a login.d directory to override the one defined by default by the service. I guess you're implying I can achive the same overriding the user/group settings and the like ?

loqs

Member

Registered: 2014-03-06

Posts: 17,369

Re: [solved] how to set UMASK in /etc/passwd GECOS field ?

systemd does allow PAM support with the PAMName directive  but I have not seen any service file using it,  by default PAM is not used by systemd service.
You can set the umask directly in the service file with the UMask directive see man 5 systemd.exec.

Last edited by loqs (2019-08-05 20:47:47)

dawnofman

Member

Registered: 2019-07-26

Posts: 140

Re: [solved] how to set UMASK in /etc/passwd GECOS field ?

systemd does allow PAM support with the PAMName directive  but I have not seen any service file using it,  by default PAM is not used by  systemd service.
You can set the umask directly in the service file with the UMask directive see man 5 systemd.exec.

I'll be checking it tonight !

Thanks for the tip !

dawnofman

Member

Registered: 2019-07-26

Posts: 140

Re: [solved] how to set UMASK in /etc/passwd GECOS field ?

systemd does allow PAM support with the PAMName directive  but I have not seen any service file using it,  by default PAM is not used by systemd service.
You can set the umask directly in the service file with the UMask directive see man 5 systemd.exec.

Sorry for the delay loqs: yesterday I started researching PAM and I keep researching it; PAM is complex, too complex I guess, documentation is lacking sometimes, and I did not came across good examples yet, I mean, there are a lot of examples saying this way or the other for any specific directive, but they are sparse on where/how to put them all together, and better yet, why put directives this way and not the other.

Besides our wiki entry for PAM, the System Administrators' Guide @ liunxpam.org provides the correct grammar which helps a lot (by the way this site has good documentation but is one of those exasperating sites requiring to constantly navigate between pages with little content on every one of them), but what I cannot find yet, was something like: if you want to use the (eg) pam_umask module you should place before/after x module on the stack because blah blah blah ...

What I know so far is that the pam_umask related directive should go in /etc/pam.d/login in arch-linux; quoting 6.36: pam_umask:

Add the following line to /etc/pam.d/login to set the user specific umask at login:

session optional pam_umask.so umask=0022

... where ? at the bottom of the file ? because it is an optional directive that won't let the login fail anyway ?

The pam_env module also seems very interesting to unload some stuff on /etc/bash.bashrc and /etc/profile.

I know I can try and see, but I do not like this approach, I like to fully-understand what I am doing to begin with, and, I did read on many places that a mistake in the PAM stack configuration could lead you to not be able to login anymore needing to start a rescue image so I am playing it safe.

PS: Is the linux PAM architecture/implementation still considered the best way to do such things or are other technologies targeting the same problem that I am not aware of ? I did find, for example, that in the BSD world they came across openPAM after linux PAM and after the original BSD PAM implementation. I did also find references saying openPAM was started because of the very poor code quality of linux PAM that was being used in the BSD world years ago. Just gathering as much info as I can.