Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[PASSED] useradd /etc/skel permissions
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Vieri
l33t
l33t


Joined: 18 Dec 2005
Posts: 901

PostPosted: Mon Jul 24, 2006 7:59 am    Post subject: [PASSED] useradd /etc/skel permissions Reply with quote

I'm probably missing something simple but I'm experiencing a security flaw with my default gentoo installation.

While useradd seems to preserve file permissions in /etc/skel, it doesn't seem to do the same for directories.

/etc/skel contains files and directories with appropriate permissions, e.g.:
-rw-r--r-- 1 root root 127 Feb 28 11:56 .bash_logout
-rw-r--r-- 1 root root 193 Feb 28 11:56 .bash_profile
-rw-r--r-- 1 root root 976 Feb 28 11:56 .bashrc
drwx------ 5 root root 120 Feb 24 08:02 .maildir
drwx------ 2 root root 48 Feb 24 09:50 .recyclebin
-rw-r--r-- 1 root qmail 82 Mar 2 14:16 .qmail.sample

In particular, ls -la /etc/skel/.maildir/*:
/etc/skel/.maildir/cur:
drwxr-xr-x 2 root root 72 Feb 24 08:02 .
-rw-r--r-- 1 root root 0 Mar 2 14:16 .keep
/etc/skel/.maildir/new:
drwxr-xr-x 2 root root 72 Feb 24 08:02 .
-rw-r--r-- 1 root root 0 Mar 2 14:16 .keep
/etc/skel/.maildir/tmp:
drwxr-xr-x 2 root root 72 Feb 24 08:02 .
-rw-r--r-- 1 root root 0 Mar 2 14:16 .keep

First of all, I don't know whether it's safe enough to give permission 755 to dirs cur and new. So I decided to chmod 700 cur new and tmp.

When a new AD user logs in, its home dir is created with the contents of /etc/skel. File permissions are preserved, directories are not. Supposing the AD user is "biblio":
# ls -la /home/biblio/:
drwxr-xr-x 4 biblio domain users 256 Jul 24 09:43 .
-rw------- 1 biblio domain users 5 Jul 24 09:43 .bash_history
-rw-r--r-- 1 biblio domain users 127 Jul 24 09:43 .bash_logout
-rw-r--r-- 1 biblio domain users 193 Jul 24 09:43 .bash_profile
-rw-r--r-- 1 biblio domain users 976 Jul 24 09:43 .bashrc
drwxr-xr-x 5 biblio domain users 120 Jul 24 09:43 .maildir
drwxr-xr-x 2 biblio domain users 48 Jul 24 09:43 .recyclebin
-rw-r--r-- 1 biblio domain users 82 Jul 24 09:43 .qmail.sample
# ls -la /home/biblio/.maildir/*:
/home/biblio/.maildir/cur:
drwxr-xr-x 2 biblio domain users 72 Jul 24 09:43 .
-rw-r--r-- 1 biblio domain users 0 Jul 24 09:43 .keep
/home/biblio/.maildir/new:
drwxr-xr-x 2 biblio domain users 72 Jul 24 09:43 .
-rw-r--r-- 1 biblio domain users 0 Jul 24 09:43 .keep
/home/biblio/.maildir/tmp:
drwxr-xr-x 2 biblio domain users 72 Jul 24 09:43 .
-rw-r--r-- 1 biblio domain users 0 Jul 24 09:43 .keep

cur new and tmp have mod 755 instead of 700 I set in /etc/skel.
How can that be?

Can someone reproduce the same behavior?

Side question:
is there a simple way of running specific commands as root (such as chmod, etc) right after each "useradd call" (to fix certain permissions)?

man useradd doesn't seem to say much on this.

/etc/default/useradd has:
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel

A similar post was found here:
https://forums.gentoo.org/viewtopic-t-391640-highlight-useradd+permissions.html

In my case user authentication is done through winbind and a Windows 2003 AD.

[EDIT]
# umask -S
u=rwx,g=rx,o=rx

However I only want to change umask for a specific directory and I don't think this is possible.


Last edited by Vieri on Wed Jul 26, 2006 8:53 pm; edited 2 times in total
Back to top
View user's profile Send private message
Janne Pikkarainen
Veteran
Veteran


Joined: 29 Jul 2003
Posts: 1143
Location: Helsinki, Finland

PostPosted: Mon Jul 24, 2006 8:19 am    Post subject: Reply with quote

During my short test I was unable to reproduce this one with just useradd.

Code:
jaba skel # mkdir .test && chmod 700 .test
jaba skel # ls -lah
total 17K
drwxr-xr-x  3 root root  160 Jul 24 11:15 .
drwxr-xr-x 72 root root 4.6K Jul 24 11:15 ..
-rw-r--r--  1 root root  127 Apr 26 20:22 .bash_logout
-rw-r--r--  1 root root  193 Apr 26 20:22 .bash_profile
-rw-r--r--  1 root root  976 Apr 26 20:22 .bashrc
drwx------  2 root root   48 Jul 24 11:15 .test
jaba skel # useradd -m johndoe
jaba skel # ls -lah ~johndoe
total 12K
drwxr-xr-x 3 johndoe johndoe 160 Jul 24 11:15 .
drwxr-xr-x 9 root    root    224 Jul 24 11:15 ..
-rw-r--r-- 1 johndoe johndoe 127 Jul 24 11:15 .bash_logout
-rw-r--r-- 1 johndoe johndoe 193 Jul 24 11:15 .bash_profile
-rw-r--r-- 1 johndoe johndoe 976 Jul 24 11:15 .bashrc
drwx------ 2 johndoe johndoe  48 Jul 24 11:15 .test
jaba skel # userdel -r johndoe


Maybe winbind sets up some its own permissions and overrides the ones in /etc/skel?
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.".
Back to top
View user's profile Send private message
Vieri
l33t
l33t


Joined: 18 Dec 2005
Posts: 901

PostPosted: Mon Jul 24, 2006 9:41 am    Post subject: Reply with quote

thanks for your feedback.
you're right, samba/winbind is the one creating the home dirs in my case, not sys-apps/shadow-4.0.7-r4's useradd.
The etc/samba/smb.conf part says:
# template homedir determines the home directory for winbind users, with
# %D expanding to their domain name and %U expanding to their username:
; template homedir = /home/%D/%U
template homedir = /home/%U

# When using winbind, you may want to have samba create home directories
# on the fly for authenticated users. Ensure that /etc/pam.d/samba is
# using 'service=system-auth-winbind' in pam_stack modules, and then
# enable obedience of pam restrictions below:
obey pam restrictions = yes

#
# template shell determines the shell users authenticated by winbind get
; template shell = /bin/bash
template shell = /bin/sh

# The add user script is used by a domain member to add local user accounts
# that have been authenticated by the domain controller, or when adding
# users via the Windows NT Tools (ie User Manager for Domains).

# Scripts for file (passwd, smbpasswd) backend:
; add user script = /usr/sbin/useradd -s /bin/false '%u'
; delete user script = /usr/sbin/userdel '%s'
; add user to group script = /usr/bin/gpasswd -a '%u' '%g'
; delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
; set primary group script = /usr/sbin/usermod -g '%g' '%u'
; add group script = /usr/sbin/groupadd %g && getent group '%g'|awk -F: '{print
; delete group script = /usr/sbin/groupdel '%g'

However, I'm unsure what my best options are: upgrade winbind/samba to an ~unstable version or use "add user script".
Back to top
View user's profile Send private message
Janne Pikkarainen
Veteran
Veteran


Joined: 29 Jul 2003
Posts: 1143
Location: Helsinki, Finland

PostPosted: Mon Jul 24, 2006 9:47 am    Post subject: Reply with quote

How about Samba's directory mask and directory security mask parameters? See man smb.conf for details.
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.".
Back to top
View user's profile Send private message
Vieri
l33t
l33t


Joined: 18 Dec 2005
Posts: 901

PostPosted: Mon Jul 24, 2006 11:15 am    Post subject: Reply with quote

Actually, I've pinpointed it down to :
PAM.D File: system-auth (using winbind-provided pam.d system-auth)
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022

So I guess I have to fiddle with pam_mkhomedir.
Back to top
View user's profile Send private message
Vieri
l33t
l33t


Joined: 18 Dec 2005
Posts: 901

PostPosted: Mon Jul 24, 2006 12:02 pm    Post subject: Reply with quote

I guess changing the following in system-auth pam.d is enough although not exactly what I was looking for:
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0077

This makes sure all files and directories can only be read/written by the user. But if I create a world readable/writeable file in /etc/skel/ it will not be kept that way in the user's home dir because the umask is applied.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum