On Mon, Apr 15, 2019 at 03:11:13PM +0200, Ronald Wimmer via FreeIPA-users wrote:
Afaik it should be possible to set a users umask by putting something
like
"umask=0007" in the GECOS field in combination with pam_umask.so.
pam_umask.so seems to be present on our systems. What I do not know is in
which file (at which exact position) I would have to put "session optional
pam_umask.so".
I think the exact position in the 'session' block does not matter. Only
if you want that the umask setting should already apply for some of the
other pam modules in the session block you have to add it before those
modules.
The right file depends on you use case. First, all files in /etc/pam.d
are managed somehow. The service files like e.g. /etc/pam.d/login or
/etc/pam.d/sshd are owned by the package of the service. Files like
/etc/pam.d/password-auth on Fedora/RHEL/CentOS are managed by authconfig
or authselect.
With authselect you can add your own profile and if your system already
supports authselect I would recommend this way. In all other cases you
have to modify one or more files in /etc/pam.d directly and take care
that the changes are still present after updates.
Should it work in general or would pam_umask.so only respect the GECOS field
of local users?
pam_umask use getpwnam_r() for get the user data, so it should work in
general.
HTH
bye,
Sumit
>
> Cheers,
> Ronald
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...