Page 3 of 3 FirstFirst 123
Results 21 to 23 of 23

Thread: Give users Read, Modify but not delete on Samba server

  1. #21
    Join Date
    May 2010
    Location
    uk
    Beans
    8,095
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: Give users Read, Modify but not delete on Samba server

    Hi

    Code:
    pam_umask.so [debug] [silent] [usergroups] [umask=mask]
    
    ·   umask= argument
    ·   UMASK entry from /etc/login.defs
    I see. I was under the impression that the umask you highlighted in red was the parameter passed to pam_umask.so that i have highlighted above. I thought it fell through to the option i have highlighted in green.

    Working through the configuration files...

    Code:
    matthew@matthew-Aspire-7540:~$ grep -i umask /etc/skel/.profile 
    # the default umask is set in /etc/profile; for setting the umask
    # for ssh logins, install and configure the libpam-umask package.
    #umask 022
    matthew@matthew-Aspire-7540:~$
    Code:
    matthew@matthew-Aspire-7540:~$ grep -i umask /etc/profile
    # The default umask is now handled by pam_umask.
    # See pam_umask(8) and /etc/login.defs.
    matthew@matthew-Aspire-7540:~
    Code:
    DESCRIPTION
           pam_umask is a PAM module to set the file mode creation mask of the current environment. The umask affects the default permissions assigned to newly created
           files.
    
           The PAM module tries to get the umask value from the following places in the following order:
    
           ·   umask= argument
    
           ·   umask= entry of the users GECOS field
    
           ·   pri= entry of the users GECOS field
    
           ·   ulimit= entry of the users GECOS field
    
           ·   UMASK= entry from /etc/default/login
    
           ·   UMASK entry from /etc/login.defs
    Code:
    matthew@matthew-Aspire-7540:~$ egrep -i "umask|USERGROUPS_ENAB" /etc/login.defs
    #       UMASK           Default "umask" value.
    # UMASK is the default umask value for pam_umask and is used by
    # 022 is the "historical" value in Debian for UMASK
    # If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
    UMASK           022
    # Enable setting of the umask group bits to be the same as owner bits
    USERGROUPS_ENAB yes
    matthew@matthew-Aspire-7540:~$
    I came accross this a while ago when i found out that motd has gone to pam (i wanted to customise my ssh motd).

    I have not worked through the boot process of these scripts so i am not sure if this is redundant or the new way to define umask.

    I will look into this.

    Kind regards
    Last edited by matt_symes; March 3rd, 2012 at 01:55 AM.
    If you believe everything you read, you better not read. ~ Japanese Proverb

    If you don't read the newspaper, you're uninformed. If you read the newspaper, you're mis-informed. - Mark Twain

  2. #22
    Join Date
    May 2008
    Location
    SoCal
    Beans
    Hidden!
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Give users Read, Modify but not delete on Samba server

    Quote Originally Posted by matt_symes View Post
    Hi

    Code:
    pam_umask.so [debug] [silent] [usergroups] [umask=mask]
    
    ·   umask= argument
    ·   UMASK entry from /etc/login.defs
    I see. I was under the impression that the umask you highlighted in red was the parameter passed to pam_umask.so that i have highlighted above. I thought it fell through to the option i have highlighted in green.

    Working through the configuration files...

    Code:
    matthew@matthew-Aspire-7540:~$ grep -i umask /etc/skel/.profile 
    # the default umask is set in /etc/profile; for setting the umask
    # for ssh logins, install and configure the libpam-umask package.
    #umask 022
    matthew@matthew-Aspire-7540:~$
    Code:
    matthew@matthew-Aspire-7540:~$ grep -i umask /etc/profile
    # The default umask is now handled by pam_umask.
    # See pam_umask(8) and /etc/login.defs.
    matthew@matthew-Aspire-7540:~
    Code:
    DESCRIPTION
           pam_umask is a PAM module to set the file mode creation mask of the current environment. The umask affects the default permissions assigned to newly created
           files.
    
           The PAM module tries to get the umask value from the following places in the following order:
    
           ·   umask= argument
    
           ·   umask= entry of the users GECOS field
    
           ·   pri= entry of the users GECOS field
    
           ·   ulimit= entry of the users GECOS field
    
           ·   UMASK= entry from /etc/default/login
    
           ·   UMASK entry from /etc/login.defs
    Code:
    matthew@matthew-Aspire-7540:~$ egrep -i "umask|USERGROUPS_ENAB" /etc/login.defs
    #       UMASK           Default "umask" value.
    # UMASK is the default umask value for pam_umask and is used by
    # 022 is the "historical" value in Debian for UMASK
    # If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
    UMASK           022
    # Enable setting of the umask group bits to be the same as owner bits
    USERGROUPS_ENAB yes
    matthew@matthew-Aspire-7540:~$
    I came accross this a while ago when i found out the motd has gone to pam (i wanted to customise my ssh motd).

    I have not worked through the boot process of these scripts so i am not sure if this is redundant or the new way to define umask.

    I will look into this.

    Kind regards
    let us know what you find. Right now I have a functioning server and loathe to make changes to it. But, as Ubuntu (and Debian itself) changes so must we. Time to put my thinking cap on...
    Last edited by bab1; March 3rd, 2012 at 03:22 AM.
    -BAB1

  3. #23
    Join Date
    May 2008
    Location
    SoCal
    Beans
    Hidden!
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Give users Read, Modify but not delete on Samba server

    @matt_symes,

    This appears to be a "Tempest in a Teapot". The PAM module (pam_umask.so) does indeed provide consistent umask values across all applications (shell or no). It uses the value of the last value check as you suspected, but.... at least on my servers, the only line that has any value is the one I highlighted before. All the others are non existent or commented out by default (e.g /etc/login.defs). On my machines this is the line (in context)
    Code:
    # UMASK usage is discouraged because it catches only some classes of user
    # entries to system, in fact only those made through login(1), while setting
    # umask in shell rc file will catch also logins through su, cron, ssh etc.
    #
    # At the same time, using shell rc to set umask won't catch entries which use
    # non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp"
    # user and alike.
    #
    # Therefore the use of pam_umask is recommended as the solution which
    # catches all these cases on PAM-enabled systems.
    # 
    # This avoids the confusion created by having the umask set
    # in two different places -- in login.defs and shell rc files (i.e.
    # /etc/profile).
    #
    # For discussion, see #314539 and #248150 as well as the thread starting at
    # http://lists.debian.org/debian-devel/2005/06/msg01598.html
    #
    # Prefix these values with "0" to get octal, "0x" to get hexadecimal.
    #
    ERASECHAR	0177
    KILLCHAR	025
    # 022 is the "historical" value in Debian for UMASK when it was used
    # 027, or even 077, could be considered better for privacy
    # There is no One True Answer here : each sysadmin must make up his/her
    # mind.
    #UMASK		022
    So what we have is a pam_umask that by default applies the value set in /etc/profile across all instances that umask is needed. A long and winding road indeed.

    I'm interested in what you find on your machines.

    Quote Originally Posted by matt_symes View Post
    Hi

    Code:
    pam_umask.so [debug] [silent] [usergroups] [umask=mask]
    
    ·   umask= argument
    ·   UMASK entry from /etc/login.defs
    I see. I was under the impression that the umask you highlighted in red was the parameter passed to pam_umask.so that i have highlighted above. I thought it fell through to the option i have highlighted in green.

    Working through the configuration files...

    Code:
    matthew@matthew-Aspire-7540:~$ grep -i umask /etc/skel/.profile 
    # the default umask is set in /etc/profile; for setting the umask
    # for ssh logins, install and configure the libpam-umask package.
    #umask 022
    matthew@matthew-Aspire-7540:~$
    Code:
    matthew@matthew-Aspire-7540:~$ grep -i umask /etc/profile
    # The default umask is now handled by pam_umask.
    # See pam_umask(8) and /etc/login.defs.
    matthew@matthew-Aspire-7540:~
    Code:
    DESCRIPTION
           pam_umask is a PAM module to set the file mode creation mask of the current environment. The umask affects the default permissions assigned to newly created
           files.
    
           The PAM module tries to get the umask value from the following places in the following order:
    
           ·   umask= argument
    
           ·   umask= entry of the users GECOS field
    
           ·   pri= entry of the users GECOS field
    
           ·   ulimit= entry of the users GECOS field
    
           ·   UMASK= entry from /etc/default/login
    
           ·   UMASK entry from /etc/login.defs
    Code:
    matthew@matthew-Aspire-7540:~$ egrep -i "umask|USERGROUPS_ENAB" /etc/login.defs
    #       UMASK           Default "umask" value.
    # UMASK is the default umask value for pam_umask and is used by
    # 022 is the "historical" value in Debian for UMASK
    # If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
    UMASK           022
    # Enable setting of the umask group bits to be the same as owner bits
    USERGROUPS_ENAB yes
    matthew@matthew-Aspire-7540:~$
    I came accross this a while ago when i found out that motd has gone to pam (i wanted to customise my ssh motd).

    I have not worked through the boot process of these scripts so i am not sure if this is redundant or the new way to define umask.

    I will look into this.

    Kind regards
    Last edited by bab1; March 3rd, 2012 at 03:49 AM.
    -BAB1

Page 3 of 3 FirstFirst 123

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •