netbsd-bugs: bin/32307: su fails to set umask correctly when using pam and simulating a full login (-, -d, -l)

Subject: bin/32307: su fails to set umask correctly when using pam and simulating a full login (-, -d, -l)
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: None <jmiller@shaw.ca>
List: netbsd-bugs
Date: 12/15/2005 07:25:01

>Number:         32307
>Category:       bin
>Synopsis:       su fails to set umask correctly when using pam and simulating a full login (-, -d, -l)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Dec 15 07:25:00 +0000 2005
>Originator:     Jason V. Miller
>Release:        3.0_RC6
>Organization:
>Environment:
NetBSD lust.misaligned.org 3.0_RC6 NetBSD 3.0_RC6 (LUST) #0: Tue Dec 13 13:52:36 MST 2005  src@lust.misaligned.org:/usr/home/src/obj/sys/arch/i386/compile/LUST i386
>Description:
When su-ing TO a non-root user, the umask of the account that we are su-ing FROM is inherited, regardless of weather or not we use -, -d, or -l. The umask should be set to the account that is being su-ed TO when -, -d, or -l is used.

Many thanks to hubertf@NetBSD.org for helping me confirm, diagnose, and locate the problem, as well as helping me with the fix.
>How-To-Repeat:
The default umask for user src is 0022.
-----
login: src
Password:
<text removed>
$ umask
0022 <--- DEFAULT UMASK FOR SRC
-----

When logged in as another user (jm), my umask is set to 0077. After su-ing to src, the umask is inherited incorrectly simulating a full login (-, -d, or -l are used).

The umask should only be inherited when we're not simulating a login.
-----
bash-3.00$ whoami
jm
bash-3.00$ umask
0077
bash-3.00$ su src
Password:
$ umask
0077 <--- umask is correctly inherited
$ ^D
bash-3.00$ su - src
Password:
$ umask
0077 <--- UMASK HAS BEEN INCORRECTLY INHERITED
-----
>Fix:
The following patch fixes this problem.

bash-3.00$ cvs diff -u su_pam.c
Index: su_pam.c
===================================================================
RCS file: /cvsroot/src/usr.bin/su/su_pam.c,v
retrieving revision 1.5.2.5
diff -u -r1.5.2.5 su_pam.c
--- su_pam.c    9 Jul 2005 23:03:05 -0000       1.5.2.5
+++ su_pam.c    15 Dec 2005 07:21:37 -0000
@@ -499,6 +499,12 @@
        setwhat = LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETUMASK|
            LOGIN_SETLOGIN|LOGIN_SETPATH|LOGIN_SETGROUP);
 
+       /*              
+        * Reset umask if simulating a full login.
+        */              
+       if ( asthem )    
+               setwhat |= LOGIN_SETUMASK;
+
        /*
         * Don't touch resource/priority settings if -m has been used
         * or -l and -c hasn't, and we're not su'ing to root.