Bug#945000: systemd: Umask set in /etc/login.defs is not honored by systemd user units even if pam_umask is enabled.

Mad Horse equu at openmail.cc
Mon Nov 18 08:53:39 GMT 2019


Package: systemd
Version: 243-5
Severity: important

Dear Maintainer,

The traditional way to change the default umask (change /etc/login.defs with
pam_umask enabled in /etc/pam.d/... ) is broken,
for on my does not honor it in user units.

This is a bug known by the upstream (
https://github.com/systemd/systemd/issues/6077 ), and currently the only
possible
walkaround is to override umask for every user unit, as discussed in
https://bugs.launchpad.net/ubuntu/+source/gnome-
terminal/+bug/1685754/comments/21 , which is hard to apply.

I may be unable to fix this issue with my own knowledge and resource,
but I can
report it to you experts at least.



-- Package-specific info:

-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=zh_CN.UTF-8, LC_CTYPE=zh_CN.UTF-8 (charmap=UTF-8),
LANGUAGE=zh_CN.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages systemd depends on:
ii adduser 3.118
ii libacl1 2.2.53-5
ii libapparmor1 2.13.3-6
ii libaudit1 1:2.8.5-2
ii libblkid1 2.34-0.1
ii libc6 2.29-3
ii libcap2 1:2.27-1
ii libcryptsetup12 2:2.2.1-1
ii libgcrypt20 1.8.5-3
ii libgnutls30 3.6.10-4
ii libgpg-error0 1.36-7
ii libidn2-0 2.2.0-2
ii libip4tc2 1.8.3-2
ii libkmod2 26-3
ii liblz4-1 1.9.2-2
ii liblzma5 5.2.4-1+b1
ii libmount1 2.34-0.1
ii libpam0g 1.3.1-5
ii libpcre2-8-0 10.32-5+b1
ii libseccomp2 2.4.1-2
ii libselinux1 2.9-3+b1
ii libsystemd0 243-5
ii mount 2.34-0.1
ii util-linux 2.34-0.1

Versions of packages systemd recommends:
ii dbus 1.12.16-2
ii libpam-systemd 243-5

Versions of packages systemd suggests:
ii policykit-1 0.105-26
pn systemd-container <none>

Versions of packages systemd is related to:
pn dracut <none>
ii initramfs-tools 0.135
ii udev 243-5

-- Configuration Files:
/etc/pam.d/systemd-user changed:
@include common-account
session required pam_selinux.so close
session required pam_selinux.so nottys open
session required pam_loginuid.so
session required pam_limits.so
@include common-session-noninteractive
session optional pam_systemd.so
session optional pam_umask.so


-- no debconf information


-------------- next part --------------
[OVERRIDDEN] /etc/tmpfiles.d/screen-cleanup.conf -> /usr/lib/tmpfiles.d/screen-cleanup.conf

--- /usr/lib/tmpfiles.d/screen-cleanup.conf	2017-06-19 06:31:56.000000000 +0800
+++ /etc/tmpfiles.d/screen-cleanup.conf	2017-06-30 08:33:17.091685640 +0800
@@ -1 +1 @@
-d /run/screen 0777 root utmp
+d /run/screen 1777 root utmp

[EXTENDED]   /etc/systemd/system/display-manager.service -> /etc/systemd/system/display-manager.service.d/umask.conf
[EQUIVALENT] /etc/systemd/system/nfdump.service -> /lib/systemd/system/nfdump.service
[MASKED]     /etc/systemd/system/systemd-rfkill.service -> /lib/systemd/system/systemd-rfkill.service
[MASKED]     /etc/systemd/system/systemd-rfkill.socket -> /lib/systemd/system/systemd-rfkill.socket
[MASKED]     /etc/systemd/system/transmission-daemon.service -> /lib/systemd/system/transmission-daemon.service
[EXTENDED]   /lib/systemd/system/rc-local.service -> /lib/systemd/system/rc-local.service.d/debian.conf
[EXTENDED]   /lib/systemd/system/systemd-resolved.service -> /lib/systemd/system/systemd-resolved.service.d/resolvconf.conf
[EXTENDED]   /lib/systemd/system/systemd-timesyncd.service -> /lib/systemd/system/systemd-timesyncd.service.d/disable-with-time-daemon.conf
[EXTENDED]   /usr/lib/systemd/user/at-spi-dbus-bus.service -> /etc/systemd/user/at-spi-dbus-bus.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/blueman-applet.service -> /etc/systemd/user/blueman-applet.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/colord-session.service -> /etc/systemd/user/colord-session.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/dbus.service -> /etc/systemd/user/dbus.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/evolution-addressbook-factory.service -> /etc/systemd/user/evolution-addressbook-factory.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/evolution-calendar-factory.service -> /etc/systemd/user/evolution-calendar-factory.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/evolution-source-registry.service -> /etc/systemd/user/evolution-source-registry.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/evolution-user-prompter.service -> /etc/systemd/user/evolution-user-prompter.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/glib-pacrunner.service -> /etc/systemd/user/glib-pacrunner.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/gnome-terminal-server.service -> /etc/systemd/user/gnome-terminal-server.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/gvfs-afc-volume-monitor.service -> /etc/systemd/user/gvfs-afc-volume-monitor.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/gvfs-daemon.service -> /etc/systemd/user/gvfs-daemon.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/gvfs-goa-volume-monitor.service -> /etc/systemd/user/gvfs-goa-volume-monitor.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/gvfs-gphoto2-volume-monitor.service -> /etc/systemd/user/gvfs-gphoto2-volume-monitor.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/gvfs-metadata.service -> /etc/systemd/user/gvfs-metadata.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/gvfs-mtp-volume-monitor.service -> /etc/systemd/user/gvfs-mtp-volume-monitor.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/gvfs-udisks2-volume-monitor.service -> /etc/systemd/user/gvfs-udisks2-volume-monitor.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/obex.service -> /etc/systemd/user/obex.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/rygel.service -> /etc/systemd/user/rygel.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/telepathy-gabble.service -> /etc/systemd/user/telepathy-gabble.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/telepathy-logger.service -> /etc/systemd/user/telepathy-logger.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/telepathy-mission-control-5.service -> /etc/systemd/user/telepathy-mission-control-5.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/telepathy-salut.service -> /etc/systemd/user/telepathy-salut.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/tracker-extract.service -> /etc/systemd/user/tracker-extract.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/tracker-miner-apps.service -> /etc/systemd/user/tracker-miner-apps.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/tracker-miner-fs.service -> /etc/systemd/user/tracker-miner-fs.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/tracker-store.service -> /etc/systemd/user/tracker-store.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/tracker-writeback.service -> /etc/systemd/user/tracker-writeback.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/zeitgeist-fts.service -> /etc/systemd/user/zeitgeist-fts.service.d/umask.conf
[EXTENDED]   /usr/lib/systemd/user/zeitgeist.service -> /etc/systemd/user/zeitgeist.service.d/umask.conf

39 overridden configuration files found.

-------------- next part --------------
# This file is part of systemd.
#
# Used by systemd --user instances.

@include common-account

session  required pam_selinux.so close
session  required pam_selinux.so nottys open
session  required pam_loginuid.so
session  required pam_limits.so
@include common-session-noninteractive
session optional pam_systemd.so

session optional pam_umask.so
-------------- next part --------------
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session	[default=1]			pam_permit.so
# here's the fallback if no module succeeds
session	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
session	required	pam_unix.so 
session	optional	pam_systemd.so 
session	optional	pam_ecryptfs.so unwrap
# end of pam-auth-update config

session optional	pam_umask.so


More information about the Pkg-systemd-maintainers mailing list