This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. ---784314760-101152399-1030238872=:22320 Content-Type: TEXT/PLAIN; charset=US-ASCII We just switched to LDAP authentication, and use pam_mkhomedir to create directories on the first login. However, the standard pam_mkhomedir does not support our security model. We have each user's home directory owned by group www-data and mode 750, so apache can read user web pages, but users can not look into other users' home directories. The attached patch significantly changes the behavior of pam_mkhomedir. The umask is only used in the creation of the homedir itself. For everything else, it copies the permissions of the source file in the skel directory. SUID and sticky are never set. SGID is set only for directories in the skel directory which have SGID set, never for files or the homedir itself. If the current directory being acted on is the homedir, and the parent directory has the SGID bit set, then group ownership of the homedir is taken from the parent directory. Otherwise, group ownership of the homedir is the primary group of the user. The patch looks big, but it's mostly duplication of code, with slight variations for different situations. I was worried more with having it working and readable than with shrinking it. -- Marshal Newrock, Simon's Rock College of Bard Caution: product may be hot after heating ---784314760-101152399-1030238872=:22320 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="pam_mkhomedir-sgid.patch" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.44.0208242127520.22320@minerva.simons-rock.edu> Content-Description: Content-Disposition: attachment; filename="pam_mkhomedir-sgid.patch" LS0tIHBhbV9ta2hvbWVkaXItb2xkLmMJMjAwMi0wOC0wNyAwODo0MjoyOS4w MDAwMDAwMDAgLTA0MDANCisrKyBwYW1fbWtob21lZGlyLmMJMjAwMi0wOC0w NyAxNjowODo0MS4wMDAwMDAwMDAgLTA0MDANCkBAIC03LDcgKzcsNyBAQA0K ICAgIA0KICAgIEhlcmUgaXMgYSBzYW1wbGUgL2V0Yy9wYW0uZC9sb2dpbiBm aWxlIGZvciBEZWJpYW4gR05VL0xpbnV4DQogICAgMi4xOg0KLSAgIA0KKyAN CiAgICBhdXRoICAgICAgIHJlcXVpc2l0ZSAgcGFtX3NlY3VyZXR0eS5zbw0K ICAgIGF1dGggICAgICAgc3VmZmljaWVudCBwYW1fbGRhcC5zbw0KICAgIGF1 dGggICAgICAgcmVxdWlyZWQgICBwYW1fcHdkYi5zbw0KQEAgLTM5LDYgKzM5 LDcgQEANCiAjaW5jbHVkZSA8c3RkaW8uaD4NCiAjaW5jbHVkZSA8c3RyaW5n Lmg+DQogI2luY2x1ZGUgPGRpcmVudC5oPg0KKyNpbmNsdWRlIDxsaWJnZW4u aD4NCiANCiAvKg0KICAqIGhlcmUsIHdlIG1ha2UgYSBkZWZpbml0aW9uIGZv ciB0aGUgZXh0ZXJuYWxseSBhY2Nlc3NpYmxlIGZ1bmN0aW9uDQpAQCAtMTc3 LDYgKzE3OCwxMCBAQA0KICAgIGNoYXIgcmVtYXJrW0JVRlNJWl07DQogICAg RElSICpEOw0KICAgIHN0cnVjdCBkaXJlbnQgKkRpcjsNCisgICANCisgICBz dHJ1Y3Qgc3RhdCBGaWxlRW50cnk7DQorICAgY2hhciBEaXJCYXNlW0JVRlNJ Wl07DQorICAgY2hhciAqRmlsZVBhdGg7DQogDQogICAgLyogTWVudGlvbiB3 aGF0IGlzIGhhcHBlbmluZywgaWYgdGhlIG5vdGlmaWNhdGlvbiBmYWlscyB0 aGF0IGlzIE9LICovDQogICAgaWYgKHNucHJpbnRmKHJlbWFyayxzaXplb2Yo cmVtYXJrKSwiQ3JlYXRpbmcgZGlyZWN0b3J5ICclcycuIiwgZGVzdCkgPT0g LTEpDQpAQCAtMTg5LDE0ICsxOTQsNzAgQEANCiAgICB7DQogICAgICAgX2xv Z19lcnIoTE9HX0RFQlVHLCAidW5hYmxlIHRvIGNyZWF0ZSBkaXJlY3Rvcnkg JXMiLHNvdXJjZSk7DQogICAgICAgcmV0dXJuIFBBTV9QRVJNX0RFTklFRDsN Ci0gICB9ICAgDQotICAgaWYgKGNobW9kKGRlc3QsMDc3NyAmICh+VU1hc2sp KSAhPSAwIHx8DQotICAgICAgIGNob3duKGRlc3QscHdkLT5wd191aWQscHdk LT5wd19naWQpICE9IDApDQorICAgfQ0KKyAgIA0KKyAgIC8qIFdhdGNoIGZv ciBTR0lEIGJpdHMsIGFjdGlvbiBkZXBlbmRzIG9uIGRpcmVjdG9yeSAqLw0K KyAgIA0KKyAgIC8qIElmIHRoaXMgaXMgdGhlIGhvbWVkaXIgaXRzZWxmIGFu ZCBTR0lEIGlzIHNldCwgKi8NCisgICAvKiBzZXQgZ3JvdXAgb3duZXJzaGlw IHRvIHRoYXQgb2YgcGFyZW50IGRpcmVjdG9yeSAqLw0KKyAgIGlmIChzdHJj bXAoZGVzdCxwd2QtPnB3X2Rpcik9PTApDQorICAgew0KKyAgICAgIEZpbGVQ YXRoPXN0cmR1cChkZXN0KTsNCisgICAgICBzbnByaW50ZihEaXJCYXNlLCBz aXplb2YoRGlyQmFzZSksICIlcyIsIGRpcm5hbWUoRmlsZVBhdGgpKTsNCisg ICAgICBpZiAoc3RhdChEaXJCYXNlLCZGaWxlRW50cnkpICE9IDApDQorICAg ICAgew0KKyAgICAgICAgIF9sb2dfZXJyKExPR19ERUJVRywgInVuYWJsZSB0 byByZWFkIHBlcm1zIG9uIGRpcmVjdG9yeSAlcyIsRGlyQmFzZSk7DQorICAg ICAgICAgcmV0dXJuIFBBTV9QRVJNX0RFTklFRDsNCisgICAgICB9DQorICAg ICAgaWYgKEZpbGVFbnRyeS5zdF9tb2RlICYgU19JU0dJRCkNCisgICAgICB7 DQorICAgICAgICAgaWYgKGNobW9kKGRlc3QsMDc3NyAmICh+VU1hc2spKSAh PSAwIHx8DQorICAgICAgICAgICAgIGNob3duKGRlc3QscHdkLT5wd191aWQs RmlsZUVudHJ5LnN0X2dpZCkgIT0gMCkNCisgICAgICAgICB7DQorICAgICAg ICAgICAgX2xvZ19lcnIoTE9HX0RFQlVHLCAidW5hYmxlIHRvIGNoYW5nZSBw ZXJtcyBvbiBkaXJlY3RvcnkgJXMiLGRlc3QpOw0KKyAgICAgICAgICAgIHJl dHVybiBQQU1fUEVSTV9ERU5JRUQ7DQorICAgICAgICAgfQ0KKyAgICAgIH0N CisgICAgICBlbHNlDQorICAgICAgew0KKyAgICAgICAgIGlmIChjaG1vZChk ZXN0LDA3NzcgJiAoflVNYXNrKSkgIT0gMCB8fA0KKyAgICAgICAgICAgICBj aG93bihkZXN0LHB3ZC0+cHdfdWlkLHB3ZC0+cHdfZ2lkKSAhPSAwKQ0KKyAg ICAgICAgIHsNCisgICAgICAgICAgICBfbG9nX2VycihMT0dfREVCVUcsICJ1 bmFibGUgdG8gY2hhbmdlIHBlcm1zIG9uIGRpcmVjdG9yeSAlcyIsZGVzdCk7 DQorCSAgICByZXR1cm4gUEFNX1BFUk1fREVOSUVEOw0KKwkgfQ0KKyAgICAg IH0NCisgICAgICBmcmVlKEZpbGVQYXRoKTsNCisgICB9DQorICAgLyogSWYg dGhpcyBpcyBhIHNrZWwgZGlyZWN0b3J5LCBrZWVwIGFsbCBwZXJtaXNzaW9u cyBvZiBvcmlnaW5hbCBkaXJlY3RvcnkgKi8NCisgICAvKiBpZiBTR0lEIGlz IHNldCwga2VlcCBncm91cCBvd25lcnNoaXAgb2Ygb3JpZ2luYWwgZmlsZSAq Lw0KKyAgIGVsc2UNCiAgICB7DQotICAgICAgX2xvZ19lcnIoTE9HX0RFQlVH LCAidW5hYmxlIHRvIGNoYW5nZSBwZXJtcyBvbiBkaXJlY3RvcnkgJXMiLGRl c3QpOw0KLSAgICAgIHJldHVybiBQQU1fUEVSTV9ERU5JRUQ7DQorICAgICAg aWYgKHN0YXQoc291cmNlLCZGaWxlRW50cnkpICE9IDApDQorICAgICAgew0K KyAgICAgICAgIF9sb2dfZXJyKExPR19ERUJVRywgInVuYWJsZSB0byByZWFk IHBlcm1zIG9uIGRpcmVjdG9yeSAlcyIsZGVzdCk7DQorICAgICAgICAgcmV0 dXJuIFBBTV9QRVJNX0RFTklFRDsNCisgICAgICB9DQorICAgICAgaWYgKEZp bGVFbnRyeS5zdF9tb2RlICYgU19JU0dJRCkNCisgICAgICB7DQorICAgICAg ICAgaWYgKGNobW9kKGRlc3QsRmlsZUVudHJ5LnN0X21vZGUpICE9IDAgfHwN CisgICAgICAgICAgICAgY2hvd24oZGVzdCxwd2QtPnB3X3VpZCxGaWxlRW50 cnkuc3RfZ2lkKSAhPSAwKQ0KKyAgICAgICAgIHsNCisgICAgICAgICAgICBf bG9nX2VycihMT0dfREVCVUcsICJ1bmFibGUgdG8gY2hhbmdlIHBlcm1zIG9u IGRpcmVjdG9yeSAlcyIsZGVzdCk7DQorICAgICAgICAgICAgcmV0dXJuIFBB TV9QRVJNX0RFTklFRDsNCisgICAgICAgICB9DQorICAgICAgfQ0KKyAgICAg IGVsc2UNCisgICAgICB7DQorICAgICAgICAgaWYgKGNobW9kKGRlc3QsRmls ZUVudHJ5LnN0X21vZGUpICE9IDAgfHwNCisJICAgICBjaG93bihkZXN0LHB3 ZC0+cHdfdWlkLHB3ZC0+cHdfZ2lkKSAhPSAwKQ0KKwkgew0KKwkgICAgX2xv Z19lcnIoTE9HX0RFQlVHLCAidW5hYmxlIHRvIGNoYW5nZSBwZXJtcyBvbiBk aXJlY3RvcnkgJXMiLGRlc3QpOw0KKwkgICAgcmV0dXJuIFBBTV9QRVJNX0RF TklFRDsNCisJIH0NCisgICAgICB9DQogICAgfQ0KLQ0KKyAgICAgIA0KICAg IC8qIFNlZSBpZiB3ZSBuZWVkIHRvIGNvcHkgdGhlIHNrZWwgZGlyIG92ZXIu ICovDQogICAgaWYgKChzb3VyY2UgPT0gTlVMTCkgfHwgKHN0cmxlbihzb3Vy Y2UpID09IDApKQ0KICAgIHsNCkBAIC0yNTAsNyArMzExLDcgQEANCiAgICAg ICAgICAgICB7DQogICAgICAgICAgICAgICAgaWYgKGxjaG93bihuZXdkZXN0 LHB3ZC0+cHdfdWlkLHB3ZC0+cHdfZ2lkKSAhPSAwKQ0KICAgICAgICAgICAg ICAgIHsNCi0gICAgICAgICAgICAgICAgICAgX2xvZ19lcnIoTE9HX0RFQlVH LCAidW5hYmxlIHRvIGNoYW5nIHBlcm1zIG9uIGxpbmsgJXMiLA0KKyAgICAg ICAgICAgICAgICAgICBfbG9nX2VycihMT0dfREVCVUcsICJ1bmFibGUgdG8g Y2hhbmdlIHBlcm1zIG9uIGxpbmsgJXMiLA0KICAgICAgICAgICAgICAgICAg ICAgICAgICAgICBuZXdkZXN0KTsNCiAgICAgICAgICAgICAgICAgICAgcmV0 dXJuIFBBTV9QRVJNX0RFTklFRDsNCiAgICAgICAgICAgICAgICB9DQpAQCAt Mjc0LDYgKzMzNSwxMCBAQA0KICAgICAgIH0NCiAgICAgICBzdGF0KG5ld3Nv dXJjZSwmU3QpOw0KIA0KKyAgICAgIEZpbGVQYXRoPXN0cmR1cChuZXdzb3Vy Y2UpOw0KKyAgICAgIHNucHJpbnRmKERpckJhc2UsIHNpemVvZihEaXJCYXNl KSwgIiVzIiwgZGlybmFtZShGaWxlUGF0aCkpOw0KKyAgICAgIHN0YXQoRGly QmFzZSwmRmlsZUVudHJ5KTsNCisgICAgICANCiAgICAgICAvKiBPcGVuIHRo ZSBkZXN0IGZpbGUgKi8NCiAgICAgICBpZiAoKERlc3RGZCA9IG9wZW4obmV3 ZGVzdCxPX1dST05MWSB8IE9fVFJVTkMgfCBPX0NSRUFULDA2MDApKSA8IDAp DQogICAgICAgew0KQEAgLTI4MiwxOCArMzQ3LDM0IEBADQogCSByZXR1cm4g UEFNX1BFUk1fREVOSUVEOw0KICAgICAgIH0NCiANCi0gICAgICAvKiBTZXQg dGhlIHByb3BlciBvd25lcnNoaXAgYW5kIHBlcm1pc3Npb25zIGZvciB0aGUg bW9kdWxlLiBXZSBtYWtlDQotICAgICAgIAkgdGhlIGZpbGUgYSt3IGFuZCB0 aGVuIG1hc2sgaXQgd2l0aCB0aGUgc2V0IG1hc2suIFRoaXMgcHJlc2V2ZXMN Ci0gICAgICAgCSBleGVjdXRlIGJpdHMgKi8NCi0gICAgICBpZiAoZmNobW9k KERlc3RGZCwoU3Quc3RfbW9kZSB8IDAyMjIpICYgKH5VTWFzaykpICE9IDAg fHwNCi0JICBmY2hvd24oRGVzdEZkLHB3ZC0+cHdfdWlkLHB3ZC0+cHdfZ2lk KSAhPSAwKQ0KLSAgICAgIHsNCi0gICAgICAgICBjbG9zZShTcmNGZCk7DQot ICAgICAgICAgY2xvc2UoRGVzdEZkKTsNCi0gICAgICAgICBfbG9nX2VycihM T0dfREVCVUcsICJ1bmFibGUgdG8gY2hhbmcgcGVybXMgb24gY29weSAlcyIs bmV3ZGVzdCk7DQotCSByZXR1cm4gUEFNX1BFUk1fREVOSUVEOw0KKyAgICAg IC8qIENoZWNrIGZvciBTR0lEIG9uIHBhcmVudCBkaXJlY3RvcnkNCisgICAg ICAgKiBBbHdheXMga2VlcCBvcmlnaW5hbCBwZXJtaXNzaW9ucyBvZiBmaWxl DQorICAgICAgICogZXhjbHVkaW5nIFNVSUQsIFNHSUQsIHN0aWNreSAqLw0K KyAgICAgICAgIA0KKyAgICAgIC8qIElmIFNHSUQgaXMgc2V0LCBzZXQgZ3Jv dXAgdG8gZ3JvdXAgb2YgcGFyZW50IGRpcmVjdG9yeSAqLw0KKyAgICAgIGlm IChGaWxlRW50cnkuc3RfbW9kZSAmIFNfSVNHSUQpDQorICAgICAgew0KKyAg ICAgICAgIGlmIChmY2htb2QoRGVzdEZkLChTdC5zdF9tb2RlICYgMDc3Nykp ICE9IDAgfHwNCisJICAgICBmY2hvd24oRGVzdEZkLHB3ZC0+cHdfdWlkLEZp bGVFbnRyeS5zdF9naWQpICE9IDApDQorICAgICAgICAgew0KKyAgICAgICAg ICAgIGNsb3NlKFNyY0ZkKTsNCisgICAgICAgICAgICBjbG9zZShEZXN0RmQp Ow0KKyAgICAgICAgICAgIF9sb2dfZXJyKExPR19ERUJVRywgInVuYWJsZSB0 byBjaGFuZ2UgcGVybXMgb24gY29weSAlcyIsbmV3ZGVzdCk7DQorCSAgICBy ZXR1cm4gUEFNX1BFUk1fREVOSUVEOw0KKyAgICAgICAgIH0NCiAgICAgICB9 DQotDQorICAgICAgZWxzZQ0KKyAgICAgIHsNCisgICAgICAgICBpZiAoZmNo bW9kKERlc3RGZCwoU3Quc3RfbW9kZSAmIDA3NzcpKSAhPSAwIHx8DQorCSAg ICAgZmNob3duKERlc3RGZCxwd2QtPnB3X3VpZCxwd2QtPnB3X2dpZCkgIT0g MCkNCisgICAgICAgICB7DQorICAgICAgICAgICAgY2xvc2UoU3JjRmQpOw0K KyAgICAgICAgICAgIGNsb3NlKERlc3RGZCk7DQorICAgICAgICAgICAgX2xv Z19lcnIoTE9HX0RFQlVHLCAidW5hYmxlIHRvIGNoYW5nZSBwZXJtcyBvbiBj b3B5ICVzIixuZXdkZXN0KTsNCisJICAgIHJldHVybiBQQU1fUEVSTV9ERU5J RUQ7DQorICAgICAgICAgfQ0KKyAgICAgIH0NCisgICAgICANCiAgICAgICAv KiBDb3B5IHRoZSBmaWxlICovDQogICAgICAgZG8NCiAgICAgICB7DQpAQCAt MzA5LDYgKzM5MCw4IEBADQogICAgICAgd2hpbGUgKFJlcyAhPSAwKTsNCiAg ICAgICBjbG9zZShTcmNGZCk7DQogICAgICAgY2xvc2UoRGVzdEZkKTsNCisg ICAgICANCisgICAgICBmcmVlKEZpbGVQYXRoKTsNCiAgICB9DQogDQogICAg cmV0dXJuIFBBTV9TVUNDRVNTOw0K ---784314760-101152399-1030238872=:22320--
