Bugzilla – Bug 900
umask value will not be set for user root
Last modified: 2019-12-31 15:09:36 MST
Hi there, OS version is: SuSE Linux Enterprise Server 12 SP4 sudo version is: sudo-1.8.20p2-3.7.10.x86_64 problem is: sudo overrides umask value set by pam_umask.so the common-session is: session required pam_limits.so session required pam_unix.so try_first_pass session optional pam_umask.so session optional pam_systemd.so session optional pam_env.so The desired umask value for user root is described in /etc/passwd: root:x:0:0:root,,,,umask=0077:/root:/bin/bash umask option is not set in /etc/sudoers: # grep umask /etc/sudoers # However, when running sudo, another umask value will be set: auser@sles12sp4:~> umask 0007 auser@sles12sp4:~> sudo bash --norc --noprofile bash-4.3# umask 0027 <============ this should be 0077 bash-4.3# According to the sudoers man page, the umask value will be set *by PAM* on systems with PAM: umask Umask to use when running the command. Negate this option or set it to 0777 to preserve the user's umask. The actual umask that is used will be the union of the user's umask and the value of the umask option, which defaults to 0022. This guarantees that sudo never lowers the umask when running a command. Note: on systems that use PAM, the default PAM configuration may specify its own umask which will override the value set in sudoers. Please check this bug. Thanks
At one point the PAM session code run after sudo had set the umask, effectively overriding the umask sudo set itself. In the current code, PAM session modules run before sudo sets the umask so the documentation needs to be updated to reflect this. If you want to have the umask set by pam_umask preserved, add the following line to your sudoers: Defaults !umask
Sudo 1.8.29 will contain a change that allows PAM to override the default umask set by sudo. However, if the umask is explicitly set in sudoers it will override the value set by PAM. I think this is a reasonable compromise. The commit in question is: https://www.sudo.ws/repos/sudo/rev/7c0a835ac512
Thanks :)
Fixed in sudo 1.8.29