From 53b16d4a8286033edd1a9532a88a5bb2ef35b8ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= <LpSolit@netscape.net>
Date: Sat, 11 Mar 2017 17:16:08 +0100
Subject: Correctly set permissions on the home directory when creating a new
 user (mga#618)

---
 NEWS         |   3 ++
 USER/USER.xs |   5 +--
 userdrake    | 105 ++++++++++++++++++++++++++++++++++++++++++-----------------
 3 files changed, 81 insertions(+), 32 deletions(-)

diff --git a/NEWS b/NEWS
index 3f990bd..537816a 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,6 @@
+- Correctly set permissions on the home directory
+  when creating a new user (mga#618)
+
 Version 2.14 - 24 February 2017
 
 - Do not encrypt the empty password (mga#19318)
diff --git a/USER/USER.xs b/USER/USER.xs
index 086580b..ff9fc41 100644
--- a/USER/USER.xs
+++ b/USER/USER.xs
@@ -67,11 +67,12 @@ Admin_DESTROY(self)
         if (self) lu_end(self);
 
 int
-Admin_UserAdd(self, ent, is_system, dont_create_home)
+Admin_UserAdd(self, ent, is_system, dont_create_home, homePermissions)
         USER::ADMIN *self
         USER::ENT *ent
         int is_system
         int dont_create_home
+        short homePermissions
         CODE:
         USER__ERR *error = NULL;
         long uidNumber, gidNumber;
@@ -114,7 +115,7 @@ Admin_UserAdd(self, ent, is_system, dont_create_home)
                 homeDirectory = g_value_get_string(value);
                 
                 if (lu_homedir_populate(self, skeleton, homeDirectory,
-                                        uidNumber, gidNumber, 0700,
+                                        uidNumber, gidNumber, homePermissions,
                                         &error) == 0) {
                         warn(_("Error creating `%s': %s"), homeDirectory, error ? error->string : "unknown error");
                         RETVAL = 2;
diff --git a/userdrake b/userdrake
index 08c36b3..2274013 100755
--- a/userdrake
+++ b/userdrake
@@ -44,7 +44,6 @@ use log;
 $ugtk3::wm_icon = "userdrake";
 
 my $conffile = '/etc/sysconfig/userdrake';
-my $secfile = '/etc/security/msec/security.conf';
 my $pixdir = '/usr/share/userdrake/pixmaps/';
 my @pix = ($pixdir . 'selected.png', $pixdir . 'unselected.png');
 
@@ -76,7 +75,6 @@ my $error = 0;
 my $GetValue = -65533;
 my $stringsearch = '';
 my %prefs = getVarsFromSh($conffile);
-my %sec = getVarsFromSh($secfile);
 my $sysfilter = text2bool($prefs{FILTER});
 
 sub HelpSystem() { run_program::raw({ detach => 1 }, 'drakhelp', '--id', 'userdrake') }
@@ -255,50 +253,90 @@ undef $window_splash;
 $us->{wnd}->main;
 ugtk3->exit(0);
 
-#=============================================================
+=head1 NAME
 
-=head2 weakPasswordForSecurityLevel
+userdrake - Mageia Users Management Tool
 
-=head3 INPUT
+=head1 SYNOPSIS
 
-    $passwd: password to check
+  userdrake
+  drakuser (alias to userdrake)
 
-=head3 OUTPUT
+=head1 DESCRIPTION
 
-    1: if the password is too weak for security level
+This script manages user accounts for your Mageia installation.
+It requires the root password.
 
-=head3 DESCRIPTION
+=head1 FUNCTIONS
 
-    Check the security level set if /etc/security/msec/security.conf
-    exists and the level is not 'standard' and if the password
-    is not at least 6 characters return true
+=over
 
-    NOTE this function has been ported from ManaTools::Shared::Users
+=item C<get_params($file, @parameters)>
 
-=cut
+This function parses and returns data from a text file in the format:
 
-#=============================================================
-sub weakPasswordForSecurityLevel {
-    my ($password) = shift;
+  # Parameters and values are separated by whitespaces.
+  PARAMETER1 VALUE1
+  PARAMETER2 VALUE2
+  ...
 
-    if (-e $secfile) {
-        my $level = $sec{BASE_LEVEL};
-        if ($level eq 'none' or $level eq 'standard') {
-            return 0;
-        }
-        elsif (length($password) < 6) {
-            return 1;
-        }
-    }
+or
 
-    return 0;
-}
+  # Parameters and values are separated by the '=' symbol.
+  PARAMETER1=VALUE1
+  PARAMETER2=VALUE2
+  ...
+
+It is somehow similar to L<MDK::Common::System::getVarsFromSh> except that
+get_params() is also able to parse files where whitespaces are used as separator.
+Maybe one day both functions will be merged.
+
+  Params:  $file - The name of the text file to parse.
+           @parameters - The list of parameters for which you want their value.
+
+  Returns: A hashref in the form { PARAMETER1 => VALUE1, PARAMETER2 => VALUE2, ... }.
+
+=item C<weakPasswordForSecurityLevel($passwd)>
+
+Make sure that the password is at least 6 characters long if the security level
+specified in /etc/security/msec/security.conf is higher than 'standard'.
+
+This function is based on ManaTools::Shared::Users
+
+  Params: $passwd - The password to check.
 
+  Returns: TRUE if the password is too weak for the current security level.
+           FALSE otherwise.
+
+=back
+=cut
 
 sub is_xguest_installed() {
     -e '/etc/security/namespace.d/xguest.conf';
 }
 
+sub get_params {
+    my ($file, @parameters) = @_;
+    if (open(my $fh, '<', $file)) {
+        my @lines = <$fh>;
+        close $fh;
+        my $param_list = join('|', @parameters);
+        my %params = map { /^($param_list)\b(?:=|\s+)(.+)$/; $1 => $2 } grep {/^(?:$param_list)\b/} @lines;
+        return \%params;
+    }
+    return {};
+}
+
+sub weakPasswordForSecurityLevel {
+    my $password = shift;
+    my $level = get_params('/etc/security/msec/security.conf', qw(BASE_LEVEL))->{BASE_LEVEL};
+
+    if (!$level || $level eq 'none' || $level eq 'standard' || length($password) >= 6) {
+        return 0;
+    }
+    return 1;
+}
+
 sub GrayDelEdit() {
     foreach ($tbedit, $tbdel, $buttorcheck{edit}, $buttorcheck{delete}) {
         defined $_ and $_->set_sensitive(0);
@@ -454,7 +492,10 @@ sub GetFaceIcon {
 
 sub AddUser() {
     my $w = NewWindow(N("Create New User"));
-    my $dontcreatehomedir = 0; my $is_system = 0;
+    my $dontcreatehomedir = 0;
+    # Be restrictive by default, and use umask if known.
+    my $homedir_perms = 0700;
+    my $is_system = 0;
     my %u; 
     gtkpack_($w->get_child,
 		    0, BuildUui(),
@@ -497,6 +538,10 @@ sub AddUser() {
                                $dontcreatehomedir = 0;
                                $u{homedir} = $us->{o}{homedir}->get_text;
                                $userEnt and $userEnt->HomeDir($u{homedir});
+                               # Correctly set permissions on the home directory.
+                               if (my $umask = get_params('/etc/login.defs', qw(UMASK))->{UMASK}) {
+                                   $homedir_perms = 0777 &~ oct($umask);
+                               }
                            } else {
                                $dontcreatehomedir = 1;
                            }
@@ -540,7 +585,7 @@ sub AddUser() {
                                $userEnt->Gid($u{gid});
                                $userEnt->ShadowMin(-1); $userEnt->ShadowMax(99999);
                                $userEnt->ShadowWarn(-1); $userEnt->ShadowInact(-1);
-                               $ctx->UserAdd($userEnt, $is_system, $dontcreatehomedir);
+                               $ctx->UserAdd($userEnt, $is_system, $dontcreatehomedir, $homedir_perms);
                                $ctx->UserSetPass($userEnt, $u{passwd});
                                defined $us->{o}{iconval} and
                                  any::addKdmIcon($u{username}, $us->{o}{iconval});
-- 
cgit v1.2.1