[PASSED] useradd /etc/skel permissions

[Vieri]

I'm probably missing something simple but I'm experiencing a security flaw with my default gentoo installation.

While useradd seems to preserve file permissions in /etc/skel, it doesn't seem to do the same for directories.

/etc/skel contains files and directories with appropriate permissions, e.g.:
-rw-r--r-- 1 root root 127 Feb 28 11:56 .bash_logout
-rw-r--r-- 1 root root 193 Feb 28 11:56 .bash_profile
-rw-r--r-- 1 root root 976 Feb 28 11:56 .bashrc
drwx------ 5 root root 120 Feb 24 08:02 .maildir
drwx------ 2 root root 48 Feb 24 09:50 .recyclebin
-rw-r--r-- 1 root qmail 82 Mar 2 14:16 .qmail.sample

In particular, ls -la /etc/skel/.maildir/*:
/etc/skel/.maildir/cur:
drwxr-xr-x 2 root root 72 Feb 24 08:02 .
-rw-r--r-- 1 root root 0 Mar 2 14:16 .keep
/etc/skel/.maildir/new:
drwxr-xr-x 2 root root 72 Feb 24 08:02 .
-rw-r--r-- 1 root root 0 Mar 2 14:16 .keep
/etc/skel/.maildir/tmp:
drwxr-xr-x 2 root root 72 Feb 24 08:02 .
-rw-r--r-- 1 root root 0 Mar 2 14:16 .keep

First of all, I don't know whether it's safe enough to give permission 755 to dirs cur and new. So I decided to chmod 700 cur new and tmp.

When a new AD user logs in, its home dir is created with the contents of /etc/skel. File permissions are preserved, directories are not. Supposing the AD user is "biblio":
# ls -la /home/biblio/:
drwxr-xr-x 4 biblio domain users 256 Jul 24 09:43 .
-rw------- 1 biblio domain users 5 Jul 24 09:43 .bash_history
-rw-r--r-- 1 biblio domain users 127 Jul 24 09:43 .bash_logout
-rw-r--r-- 1 biblio domain users 193 Jul 24 09:43 .bash_profile
-rw-r--r-- 1 biblio domain users 976 Jul 24 09:43 .bashrc
drwxr-xr-x 5 biblio domain users 120 Jul 24 09:43 .maildir
drwxr-xr-x 2 biblio domain users 48 Jul 24 09:43 .recyclebin
-rw-r--r-- 1 biblio domain users 82 Jul 24 09:43 .qmail.sample
# ls -la /home/biblio/.maildir/*:
/home/biblio/.maildir/cur:
drwxr-xr-x 2 biblio domain users 72 Jul 24 09:43 .
-rw-r--r-- 1 biblio domain users 0 Jul 24 09:43 .keep
/home/biblio/.maildir/new:
drwxr-xr-x 2 biblio domain users 72 Jul 24 09:43 .
-rw-r--r-- 1 biblio domain users 0 Jul 24 09:43 .keep
/home/biblio/.maildir/tmp:
drwxr-xr-x 2 biblio domain users 72 Jul 24 09:43 .
-rw-r--r-- 1 biblio domain users 0 Jul 24 09:43 .keep

cur new and tmp have mod 755 instead of 700 I set in /etc/skel.
How can that be?

Can someone reproduce the same behavior?

Side question:
is there a simple way of running specific commands as root (such as chmod, etc) right after each "useradd call" (to fix certain permissions)?

man useradd doesn't seem to say much on this.

/etc/default/useradd has:
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel

A similar post was found here:
https://forums.gentoo.org/viewtopic-t-391640-highlight-useradd+permissions.html

In my case user authentication is done through winbind and a Windows 2003 AD.

[EDIT]
# umask -S
u=rwx,g=rx,o=rx

However I only want to change umask for a specific directory and I don't think this is possible.

[Janne Pikkarainen]

During my short test I was unable to reproduce this one with just useradd.

[Vieri]

thanks for your feedback.
you're right, samba/winbind is the one creating the home dirs in my case, not sys-apps/shadow-4.0.7-r4's useradd.
The etc/samba/smb.conf part says:
# template homedir determines the home directory for winbind users, with
# %D expanding to their domain name and %U expanding to their username:
; template homedir = /home/%D/%U
template homedir = /home/%U

# When using winbind, you may want to have samba create home directories
# on the fly for authenticated users. Ensure that /etc/pam.d/samba is
# using 'service=system-auth-winbind' in pam_stack modules, and then
# enable obedience of pam restrictions below:
obey pam restrictions = yes

#
# template shell determines the shell users authenticated by winbind get
; template shell = /bin/bash
template shell = /bin/sh

# The add user script is used by a domain member to add local user accounts
# that have been authenticated by the domain controller, or when adding
# users via the Windows NT Tools (ie User Manager for Domains).

# Scripts for file (passwd, smbpasswd) backend:
; add user script = /usr/sbin/useradd -s /bin/false '%u'
; delete user script = /usr/sbin/userdel '%s'
; add user to group script = /usr/bin/gpasswd -a '%u' '%g'
; delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
; set primary group script = /usr/sbin/usermod -g '%g' '%u'
; add group script = /usr/sbin/groupadd %g && getent group '%g'|awk -F: '{print
; delete group script = /usr/sbin/groupdel '%g'

However, I'm unsure what my best options are: upgrade winbind/samba to an ~unstable version or use "add user script".

[Janne Pikkarainen]

How about Samba's directory mask and directory security mask parameters? See man smb.conf for details.
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.".

[Vieri]

Actually, I've pinpointed it down to :
PAM.D File: system-auth (using winbind-provided pam.d system-auth)
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022

So I guess I have to fiddle with pam_mkhomedir.

[Vieri]

I guess changing the following in system-auth pam.d is enough although not exactly what I was looking for:
session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0077

This makes sure all files and directories can only be read/written by the user. But if I create a world readable/writeable file in /etc/skel/ it will not be kept that way in the user's home dir because the umask is applied.