Merge branch 'dev' into bump-pwb-2024.09.0

workbench-for-google-cloud-workstations/Dockerfile.ubuntu2204

@@ -141,7 +141,7 @@ ADD --chmod=755 https://raw.githubusercontent.com/rstudio/wait-for-it/master/wai
 RUN mkdir -p /var/lib/rstudio-server/monitor/log \
     && chown -R rstudio-server:rstudio-server /var/lib/rstudio-server/monitor \
     && mkdir -p /startup/custom/ \
-    && printf '\n# allow home directory creation\nsession required pam_mkhomedir.so skel=/etc/skel umask=0027' >> /etc/pam.d/common-session
+    && printf '\n# allow home directory creation\nsession required pam_mkhomedir.so skel=/etc/skel umask=0077' >> /etc/pam.d/common-session
 
 COPY --chmod=755 TurboActivate.dat /opt/rstudio-license/license-manager.conf
 COPY --chmod=755 license-manager-shim /opt/rstudio-license/license-manager

workbench-for-google-cloud-workstations/pam/rstudio-session

@@ -17,7 +17,7 @@ password sufficient pam_sss.so use_authtok
 password required pam_unix.so try_first_pass nullok sha512 shadow
 password optional pam_permit.so
 
-session required pam_mkhomedir.so skel=/etc/skel umask=0027
+session required pam_mkhomedir.so skel=/etc/skel umask=0077
 session required pam_env.so readenv=1
 session required pam_env.so readenv=1 envfile=/etc/default/locale
 session required pam_limits.so

workbench-for-google-cloud-workstations/test/goss.yaml

@@ -109,7 +109,7 @@ file:
   /etc/pam.d/common-session:
     exists: true
     contents:
-      - "/^session required pam_mkhomedir.so skel=/etc/skel umask=0027$/"
+      - "/^session required pam_mkhomedir.so skel=/etc/skel umask=0077$/"
   /etc/sssd/sssd.conf:
     exists: true
     owner: root

workbench/Dockerfile.ubuntu2204

@@ -103,7 +103,7 @@ COPY conf/* /etc/rstudio/
 RUN mkdir -p /var/lib/rstudio-server/monitor/log && \
     chown -R rstudio-server:rstudio-server /var/lib/rstudio-server/monitor && \
     mkdir -p /startup/custom/ && \
-    printf '\n# allow home directory creation\nsession required pam_mkhomedir.so skel=/etc/skel umask=0027' >> /etc/pam.d/common-session
+    printf '\n# allow home directory creation\nsession required pam_mkhomedir.so skel=/etc/skel umask=0077' >> /etc/pam.d/common-session
 
 EXPOSE 8787/tcp
 EXPOSE 5559/tcp

workbench/NEWS.md

@@ -1,4 +1,9 @@
+# 2024.09.0
+
+- Update umask for user home directory from 0022 to 0077 to improve security of directory permissions
+
 # 2023.03.1
+
 - No changes
 
 # 2023.03.0

workbench/pam/rstudio-session

@@ -17,7 +17,7 @@ password sufficient pam_sss.so use_authtok
 password required pam_unix.so try_first_pass nullok sha512 shadow
 password optional pam_permit.so
 
-session required pam_mkhomedir.so skel=/etc/skel umask=0027
+session required pam_mkhomedir.so skel=/etc/skel umask=0077
 session required pam_env.so readenv=1
 session required pam_env.so readenv=1 envfile=/etc/default/locale
 session required pam_limits.so

workbench/test/goss.yaml

@@ -85,7 +85,7 @@ file:
   /etc/pam.d/common-session:
     exists: true
     contains:
-      - "/^session required pam_mkhomedir.so skel=/etc/skel umask=0027$/"
+      - "/^session required pam_mkhomedir.so skel=/etc/skel umask=0077$/"
   /etc/sssd/sssd.conf:
     exists: true
     owner: root