port umask from /etc/pam.d to /usr/share/pam-configs implementation

https://forums.whonix.org/t/change-default-umask/7416
2025-01-12 03:39:29 -05:00 · 2019-07-13 10:35:10 -04:00 · 2019-07-13 10:35:10 -04:00 · cb668459e8
commit cb668459e8
parent ac25733de8
3 changed files with 6 additions and 57 deletions
--- a/etc/pam.d/common-session-noninteractive.security-misc
+++ b/etc/pam.d/common-session-noninteractive.security-misc
@ -1,28 +0,0 @@
-#
-# /etc/pam.d/common-session-noninteractive - session-related modules
-# common to all non-interactive services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of modules that define tasks to be performed
-# at the start and end of all non-interactive sessions.
-#
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules.  See
-# pam-auth-update(8) for details.
-
-# here are the per-package modules (the "Primary" block)
-session	[default=1]			pam_permit.so
-# here's the fallback if no module succeeds
-session	requisite			pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session	required			pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-session	required	pam_unix.so 
-session	optional	pam_cgfs.so -c freezer,memory,name=systemd
-# end of pam-auth-update config
-session optional pam_umask.so usergroups
-
--- a/etc/pam.d/common-session.security-misc
+++ b/etc/pam.d/common-session.security-misc
@ -1,29 +0,0 @@
-#
-# /etc/pam.d/common-session - session-related modules common to all services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of modules that define tasks to be performed
-# at the start and end of sessions of *any* kind (both interactive and
-# non-interactive).
-#
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules.  See
-# pam-auth-update(8) for details.
-
-# here are the per-package modules (the "Primary" block)
-session	[default=1]			pam_permit.so
-# here's the fallback if no module succeeds
-session	requisite			pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session	required			pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-session	required	pam_unix.so 
-session	optional	pam_systemd.so 
-session	optional	pam_cgfs.so -c freezer,memory,name=systemd
-# end of pam-auth-update config
-session optional pam_umask.so usergroups
-
--- a/usr/share/pam-configs/usergroups
+++ b/usr/share/pam-configs/usergroups
@ -0,0 +1,6 @@
+Name: change default umask to 006 (by package security-misc)
+Default: yes
+Priority: 256
+Session-Type: Additional
+Session:
+	optional pam_umask.so usergroups