Page MenuHomeFreeBSD
Differential D46443

pw: set the user's home directory mode if it existed
AcceptedPublic
Actions

Authored by kevans on Aug 26 2024, 11:10 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Nov 8, 12:18 AM
Unknown Object (File)
Tue, Oct 29, 2:51 PM
Unknown Object (File)
Oct 14 2024, 2:19 AM
Unknown Object (File)
Oct 4 2024, 3:52 AM
Unknown Object (File)
Oct 3 2024, 5:18 PM
Unknown Object (File)
Oct 3 2024, 3:23 PM
Unknown Object (File)
Sep 20 2024, 3:47 PM
Unknown Object (File)
Sep 11 2024, 3:45 PM
View All 22 Files
Subscribers
grahamperrin
guest-patmaddox
imp
john.grafton_runbox.com

Details

Reviewers
des
jlduran
Summary

The adduser(8) prompt allows one to set the mode of a new home
directory, but pw(8) doesn't honor the -M mode if the home directory
already exists at creation time. It doesn't seem to make sense to
ignore the mode (which may lead to a security issue on the system being
configured) when we'll happily chown an existing directory, so fix the
inconsistency.

PR: 280099

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

kevans created this revision.Aug 26 2024, 11:10 PM
Herald added a subscriber: imp. · View Herald TranscriptAug 26 2024, 11:10 PM
kevans requested review of this revision.Aug 26 2024, 11:10 PM
Harbormaster completed remote builds in B59187: Diff 142471.Aug 26 2024, 11:10 PM
jlduran accepted this revision.EditedAug 26 2024, 11:26 PM

Note that pw useradd/usermod -M should have a similar fix.
I'll see if adding a test is feasible (over the weekend).
Thank you!

Could you also change the manpage to indicate that:

.It Fl M Ar mode
Create the home directory with permissions set to
.Ar mode ,
modified by the current
.Xr umask 2 .

To match pw(8)'s description. And let users know that if they try -M 0777, and the umask is 022 (default), they'll still get 0755.

This revision is now accepted and ready to land.Aug 26 2024, 11:26 PM
jlduran added a comment.Aug 27 2024, 1:38 AM

draft_test.patch1 KBDownload
First draft of test.

grahamperrin added a subscriber: grahamperrin.Aug 27 2024, 6:42 AM
kevans added a comment.Aug 27 2024, 2:50 PM
In D46443#1058744, @jlduran_gmail.com wrote:

draft_test.patch1 KBDownload
First draft of test.

JFYI- I can't see what this is referencing. In the "Referenced Files" section on the right, I can see:

Restricted File
Mon, Aug 26, 20:38

which lines up with the timestamp on your comment, so I guess permissions aren't set on it somehow.

jlduran attached a referenced file: F92074069: draft_test.patch. (Show Details)Aug 27 2024, 2:53 PM
In D46443#1058814, @kevans wrote:
In D46443#1058744, @jlduran_gmail.com wrote:

draft_test.patch1 KBDownload
First draft of test.

JFYI- I can't see what this is referencing. In the "Referenced Files" section on the right, I can see:

Restricted File
Mon, Aug 26, 20:38

which lines up with the timestamp on your comment, so I guess permissions aren't set on it somehow.

Forgive my ignorance on Phabricator, I believe it is OK now.

kevans updated this revision to Diff 142515.Aug 27 2024, 3:34 PM

Test looks reasonable to me, incorporating it as:

commit 73f91ff94577a61194702b9f5235233aa4aa7d2c
Author: Jose Luis Duran <jlduran@gmail.com>
Date:   Tue Aug 27 10:03:09 2024 -0500

    pw: tests: add a test for -M with a pre-existing home directory
    
    Previous versions of pw(8) wouldn't chmod the home directory if it
    already existed prior to user creation, rendering adduser(8) -M
    ineffective in some cases.  Add a test to cover that situation.
    
    PR:             280099

While we're here, note in the adduser(8) documentation that -M is subject to the process umask.

This revision now requires review to proceed.Aug 27 2024, 3:34 PM
kevans added a comment.Aug 27 2024, 3:35 PM
In D46443#1058815, @jlduran_gmail.com wrote:
In D46443#1058814, @kevans wrote:
In D46443#1058744, @jlduran_gmail.com wrote:

draft_test.patch1 KBDownload
First draft of test.

JFYI- I can't see what this is referencing. In the "Referenced Files" section on the right, I can see:

Restricted File
Mon, Aug 26, 20:38

which lines up with the timestamp on your comment, so I guess permissions aren't set on it somehow.

Forgive my ignorance on Phabricator, I believe it is OK now.

IMO for a review tool, it's weird that the permissions of an attached file didn't default to the permissions of the review object it's being attached to. That's not the kind of thing I'd expect to have to audit as an uploader when I'm trying to participate in a review.

des requested changes to this revision.Aug 27 2024, 4:21 PM
des added inline comments.
usr.sbin/pw/cpdir.c
63

We should warn if this fails, imo.

This revision now requires changes to proceed.Aug 27 2024, 4:21 PM
kevans added inline comments.Aug 27 2024, 4:46 PM
usr.sbin/pw/cpdir.c
63

I had considered the same, but couldn't reconcile that with also failing to check either of the below fchownat/chflagsat. Probably all three should be checked.

john.grafton_runbox.com added a subscriber: john.grafton_runbox.com.Aug 28 2024, 5:22 PM
kevans updated this revision to Diff 142581.Aug 29 2024, 2:37 AM

Issue warnings for any permission change failures- they're not fatal, but the admin should know about them in case there's a legitimate issue.

des accepted this revision.Aug 29 2024, 9:54 AM
This revision is now accepted and ready to land.Aug 29 2024, 9:54 AM
guest-patmaddox added a subscriber: guest-patmaddox.Sep 19 2024, 5:09 PM

Revision Contents
Changeset List

PathSize
usr.sbin/
adduser/
6 lines
pw/
27 lines
tests/
16 lines

Diff 142581

View Options

usr.sbin/adduser/adduser.8

Loading...
View Options

usr.sbin/pw/cpdir.c

Loading...
View Options

usr.sbin/pw/tests/pw_useradd_test.sh

Loading...