How do I set file permissions using PAM?
 

Hello:

I'm using Slackware 15.0 stable, and I'm trying to set my file's permissions using PAM.

I want something like this:

foo.file: rw-rw----

Because all my files belong to my own personal group.

I've edited /etc/pam.d/system.auth adding this at the end:

And... I didn't work. The idea here was that all my new files would be created rw-rw----, directories drw-rw---- and I'd set something more specific if needed be.

Can anyone help, please?.

Maybe try 0006? I don't use PAM for this, but mine is 0066 for rw-------.

Why try to set the umask with pam? Why not simply set the umask with a login script below /etc/profile.d or in your home directory? Another option would be to edit the umask setting in /etc/profile or whatever file your shell is using.

regards Henrik

Perhaps try a test without the 'pam_succeed_if' line. Usually "succeed" means if you pass the test, your authentication is deemed as "succeeded" and pam exits the stack, without running further lines. You could also try removing the "quiet" and adding "debug" temporarily to get a little more verbose logging in /var/log/secure. Might find something helpful there as to how pam is handling things.

However, the default umask gets set in the /etc/profile script and would be easier to change there, no?

Hello:

I have other Linux distros installed in different disks in another system. Sometimes I take things that I like from them and try them in Slackware. If I like them, I'll keep them.

This experiment came from openSUSE:

https://en.opensuse.org/SDB:Set_UMASK

I know that there are other ways to change my umask: /etc/profile, files /etc/profile.d, .bashrc, etc.

I wanted to get more familiar with PAM, also I wanted to put it to practical use (now that it is included in Slackware).

I've had a first fast read of some of PAM's man pages, but some man pages are written more clearly than others.

I figured /etc/pam.d/system.auth would be the correct file to edit, I'm aware that this file could be overwritten in an update.

Anyway, I'm still open to suggestions.


Greetings to all of you.

Did you disable setting the umask via /etc/profile then? (And any other login scripts).

I would imagine that any changes made to the umask at the pam stage would be overrode later once bash starts up and sources its profile scripts. That article you linked may call profile scripts obsolete, but they are still used and sourced on Slackware.

Adding 'debug' to those lines would show in the logs what pam is doing. My guess would be bash is still changing umask back to system default via /etc/profile though.

I think you're thinking of "sufficient" there.

Anyway, the pam lines look reasonable, so I share your guess that it's being set and subsequently overwritten by the profile or Xsession files.

PAM is a Pluggable Authentication Module system. Pam is not the place where you should decide to make file system ownership or permission changes, that is not what it is for.

You could script this and call it on boot from almost any flavor of CRON system, or form the logon start scripts. That would make better sense. (Depending upon WHY you want this, of course.)

Indeed I was. A while back I had a pam_succeed_if module paired with "sufficient" on another machine where I was trying to run a root account outside of elogind. In OP's case I don't think that is the problem because of the "[default=1 success=ignore]" condition. A debug log should show pam setting umask, which would then point us to look elsewhere like profile scripts.