Merge "Make umask change opt-in"

2017-01-14 18:01:40 +00:00 · 2017-01-14 18:01:40 +00:00 · 6a4d0522e5
commit 6a4d0522e5
parent 5466fc2564 cd0fad3d88
2 changed files with 29 additions and 7 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -492,7 +492,7 @@ security_pam_offline_credentials_expiration_days: 1          # RHEL-07-010401 /
 # Set a delay (in seconds) between failed login attempts.
 security_shadow_utils_fail_delay: 4                          # RHEL-07-010420
 # Set a umask for all authenticated users.
-security_shadow_utils_umask: 077                             # RHEL-07-020230
+# security_shadow_utils_umask: '077'                         # RHEL-07-020230
 # Create home directories for new users by default.
 security_shadow_utils_create_home: yes                       # RHEL-07-020630
 # How many old user password to remember to prevent password re-use.
--- a/doc/metadata/rhel7/RHEL-07-020230.rst
+++ b/doc/metadata/rhel7/RHEL-07-020230.rst
@ -1,16 +1,38 @@
 ---
 id: RHEL-07-020230
-status: implemented
+status: opt-in - Ubuntu only
 tag: auth
 ---

-The umask for authenticated users is set to ``077`` by the tasks in the
-security role. This is the default for Ubuntu, CentOS, and Red Hat Enterprise
-Linux already.
+The STIG requires that the umask for all authenticated users is ``077``. This
+ensures that all new files and directories created by a user are accessible
+only by that user.

-Deployers can choose a different umask value by setting the following Ansible
-variable:
+Although this change has a significant security benefit, it can cause problems
+for users who are not expecting the change. The security role will not adjust
+the umask by default.
+
+Deployers can opt-in for the change by setting the default umask with an
+Ansible variable:

 .. code-block:: yaml

    security_shadow_utils_umask: 077
+
+.. note::
+
+    Ubuntu uses ``pam_umask`` and it uses the default umask provided by the
+    ``UMASK`` line in ``/etc/login.defs``. The default setting on Ubuntu
+    systems is ``022``. This allows the user's group and other users on the
+    system to read and execute files, but they cannot write to them.
+
+    CentOS and Red Hat Enterprise Linux do not use ``pam_umask`` and instead
+    set a default umask of ``0002`` for regular users and ``0022`` for root.
+    This gives the regular user's group full access to newly created files, but
+    other users cannot write to those files.
+
+    The tasks for this STIG requirement are not currently applied to CentOS and
+    Red Hat Enterprise Linux systems. See `Launchpad Bug #1656003`_ for more
+    details.
+
+.. _Launchpad Bug #1656003: https://bugs.launchpad.net/openstack-ansible/+bug/1656003