Bug 900 – umask value will not be set for user root

Bug 900 - umask value will not be set for user root


Summary:	umask value will not be set for user root

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.8.20
Hardware:	PC Linux

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-10-11 07:24 MDT by Ferenc Ulrich
Modified:	2019-12-31 15:09 MST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ferenc Ulrich 2019-10-11 07:24:35 MDT

Hi there,

OS version is: SuSE Linux Enterprise Server 12 SP4
sudo version is: sudo-1.8.20p2-3.7.10.x86_64

problem is: sudo overrides umask value set by pam_umask.so

the common-session is:

session    required        pam_limits.so
session    required        pam_unix.so     try_first_pass
session    optional        pam_umask.so
session    optional        pam_systemd.so
session    optional        pam_env.so


The desired umask value for user root is described in /etc/passwd:

root:x:0:0:root,,,,umask=0077:/root:/bin/bash

umask option is not set in /etc/sudoers:
# grep umask /etc/sudoers
#

However, when running sudo, another umask value will be set:

auser@sles12sp4:~> umask
0007
auser@sles12sp4:~> sudo bash --norc --noprofile
bash-4.3# umask
0027                        <============ this should be 0077
bash-4.3#


According to the sudoers man page, the umask value will be set *by PAM* on systems with PAM:

 umask             Umask to use when running the command.  Negate this option or set it to 0777 to preserve the user's umask.  The actual umask that is used will be the union of the user's umask and the value of the umask option, which defaults to 0022.  This guarantees that sudo never lowers the umask when running a command.  Note: on systems that use PAM, the default PAM configuration may specify its own umask which will  override the value set in sudoers.


Please check this bug.
Thanks

Comment 1 Todd C. Miller 2019-10-12 11:00:36 MDT

At one point the PAM session code run after sudo had set the umask, effectively overriding the umask sudo set itself.  In the current code, PAM session modules run before sudo sets the umask so the documentation needs to be updated to reflect this.

If you want to have the umask set by pam_umask preserved, add the following line to your sudoers:

Defaults !umask

Comment 2 Todd C. Miller 2019-10-18 06:24:08 MDT

Sudo 1.8.29 will contain a change that allows PAM to override the default umask set by sudo.  However, if the umask is explicitly set in sudoers it will override the value set by PAM.  I think this is a reasonable compromise.

The commit in question is:
https://www.sudo.ws/repos/sudo/rev/7c0a835ac512

Comment 3 Ferenc Ulrich 2019-10-18 07:13:37 MDT

Thanks :)

Comment 4 Todd C. Miller 2019-12-31 15:09:36 MST

Fixed in sudo 1.8.29