Give users Read, Modify but not delete on Samba server

**matt_symes** · March 3rd, 2012

Hi

Code:

pam_umask.so [debug] [silent] [usergroups] [umask=mask]

·   umask= argument
·   UMASK entry from /etc/login.defs

I see. I was under the impression that the umask you highlighted in red was the parameter passed to pam_umask.so that i have highlighted above. I thought it fell through to the option i have highlighted in green.

Working through the configuration files...

Code:

matthew@matthew-Aspire-7540:~$ grep -i umask /etc/skel/.profile 
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
matthew@matthew-Aspire-7540:~$

Code:

matthew@matthew-Aspire-7540:~$ grep -i umask /etc/profile
# The default umask is now handled by pam_umask.
# See pam_umask(8) and /etc/login.defs.
matthew@matthew-Aspire-7540:~

Code:

DESCRIPTION
       pam_umask is a PAM module to set the file mode creation mask of the current environment. The umask affects the default permissions assigned to newly created
       files.

       The PAM module tries to get the umask value from the following places in the following order:

       ·   umask= argument

       ·   umask= entry of the users GECOS field

       ·   pri= entry of the users GECOS field

       ·   ulimit= entry of the users GECOS field

       ·   UMASK= entry from /etc/default/login

       ·   UMASK entry from /etc/login.defs

Code:

matthew@matthew-Aspire-7540:~$ egrep -i "umask|USERGROUPS_ENAB" /etc/login.defs
#       UMASK           Default "umask" value.
# UMASK is the default umask value for pam_umask and is used by
# 022 is the "historical" value in Debian for UMASK
# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
UMASK           022
# Enable setting of the umask group bits to be the same as owner bits
USERGROUPS_ENAB yes
matthew@matthew-Aspire-7540:~$

I came accross this a while ago when i found out that motd has gone to pam (i wanted to customise my ssh motd).

I have not worked through the boot process of these scripts so i am not sure if this is redundant or the new way to define umask.

I will look into this.

Kind regards

**bab1** · March 3rd, 2012

Originally Posted by matt_symes

Hi

Code:

pam_umask.so [debug] [silent] [usergroups] [umask=mask]

·   umask= argument
·   UMASK entry from /etc/login.defs

I see. I was under the impression that the umask you highlighted in red was the parameter passed to pam_umask.so that i have highlighted above. I thought it fell through to the option i have highlighted in green.

Working through the configuration files...

Code:

matthew@matthew-Aspire-7540:~$ grep -i umask /etc/skel/.profile 
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
matthew@matthew-Aspire-7540:~$

Code:

matthew@matthew-Aspire-7540:~$ grep -i umask /etc/profile
# The default umask is now handled by pam_umask.
# See pam_umask(8) and /etc/login.defs.
matthew@matthew-Aspire-7540:~

Code:

DESCRIPTION
       pam_umask is a PAM module to set the file mode creation mask of the current environment. The umask affects the default permissions assigned to newly created
       files.

       The PAM module tries to get the umask value from the following places in the following order:

       ·   umask= argument

       ·   umask= entry of the users GECOS field

       ·   pri= entry of the users GECOS field

       ·   ulimit= entry of the users GECOS field

       ·   UMASK= entry from /etc/default/login

       ·   UMASK entry from /etc/login.defs

Code:

matthew@matthew-Aspire-7540:~$ egrep -i "umask|USERGROUPS_ENAB" /etc/login.defs
#       UMASK           Default "umask" value.
# UMASK is the default umask value for pam_umask and is used by
# 022 is the "historical" value in Debian for UMASK
# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
UMASK           022
# Enable setting of the umask group bits to be the same as owner bits
USERGROUPS_ENAB yes
matthew@matthew-Aspire-7540:~$

I came accross this a while ago when i found out the motd has gone to pam (i wanted to customise my ssh motd).

I have not worked through the boot process of these scripts so i am not sure if this is redundant or the new way to define umask.

I will look into this.

Kind regards

let us know what you find. Right now I have a functioning server and loathe to make changes to it. But, as Ubuntu (and Debian itself) changes so must we. Time to put my thinking cap on...

**bab1** · March 3rd, 2012

@matt_symes,

This appears to be a "Tempest in a Teapot". The PAM module (pam_umask.so) does indeed provide consistent umask values across all applications (shell or no). It uses the value of the last value check as you suspected, but.... at least on my servers, the only line that has any value is the one I highlighted before. All the others are non existent or commented out by default (e.g /etc/login.defs). On my machines this is the line (in context)

Code:

# UMASK usage is discouraged because it catches only some classes of user
# entries to system, in fact only those made through login(1), while setting
# umask in shell rc file will catch also logins through su, cron, ssh etc.
#
# At the same time, using shell rc to set umask won't catch entries which use
# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp"
# user and alike.
#
# Therefore the use of pam_umask is recommended as the solution which
# catches all these cases on PAM-enabled systems.
# 
# This avoids the confusion created by having the umask set
# in two different places -- in login.defs and shell rc files (i.e.
# /etc/profile).
#
# For discussion, see #314539 and #248150 as well as the thread starting at
# http://lists.debian.org/debian-devel/2005/06/msg01598.html
#
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
ERASECHAR	0177
KILLCHAR	025
# 022 is the "historical" value in Debian for UMASK when it was used
# 027, or even 077, could be considered better for privacy
# There is no One True Answer here : each sysadmin must make up his/her
# mind.
#UMASK		022

So what we have is a pam_umask that by default applies the value set in /etc/profile across all instances that umask is needed. A long and winding road indeed.

I'm interested in what you find on your machines.

Originally Posted by matt_symes

Hi

Code:

pam_umask.so [debug] [silent] [usergroups] [umask=mask]

·   umask= argument
·   UMASK entry from /etc/login.defs

I see. I was under the impression that the umask you highlighted in red was the parameter passed to pam_umask.so that i have highlighted above. I thought it fell through to the option i have highlighted in green.

Working through the configuration files...

Code:

matthew@matthew-Aspire-7540:~$ grep -i umask /etc/skel/.profile 
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
matthew@matthew-Aspire-7540:~$

Code:

matthew@matthew-Aspire-7540:~$ grep -i umask /etc/profile
# The default umask is now handled by pam_umask.
# See pam_umask(8) and /etc/login.defs.
matthew@matthew-Aspire-7540:~

Code:

DESCRIPTION
       pam_umask is a PAM module to set the file mode creation mask of the current environment. The umask affects the default permissions assigned to newly created
       files.

       The PAM module tries to get the umask value from the following places in the following order:

       ·   umask= argument

       ·   umask= entry of the users GECOS field

       ·   pri= entry of the users GECOS field

       ·   ulimit= entry of the users GECOS field

       ·   UMASK= entry from /etc/default/login

       ·   UMASK entry from /etc/login.defs

Code:

matthew@matthew-Aspire-7540:~$ egrep -i "umask|USERGROUPS_ENAB" /etc/login.defs
#       UMASK           Default "umask" value.
# UMASK is the default umask value for pam_umask and is used by
# 022 is the "historical" value in Debian for UMASK
# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
UMASK           022
# Enable setting of the umask group bits to be the same as owner bits
USERGROUPS_ENAB yes
matthew@matthew-Aspire-7540:~$

I came accross this a while ago when i found out that motd has gone to pam (i wanted to customise my ssh motd).

I have not worked through the boot process of these scripts so i am not sure if this is redundant or the new way to define umask.

I will look into this.

Kind regards

Thread: Give users Read, Modify but not delete on Samba server

Thread Tools

Display

Re: Give users Read, Modify but not delete on Samba server

Re: Give users Read, Modify but not delete on Samba server

Re: Give users Read, Modify but not delete on Samba server

Bookmarks

Bookmarks

Posting Permissions