I have a Red Hat 5.8 server that is bound to active directory and users are authenticated via active directory when they log in via sftp. User home folders are created during login using /etc/pam.d/system-auth. The specific line that creates the home folder is
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0066
This correctly gives home folders 711 permissions so no one else can read their directories. The problem is, the pam_mkhomedir.so also modifies permissions on all folders/files inside the /etc/skel folder which I don't want. There is a public_html folder (for apache) which needs to have 755 permissions so users can create web pages.
Is there a way for me to either a) stop pam_mkhomedir.so from recursively changing all the file permissions or b) create a script that creates the public_html folder after skel is copied and to set the correct permissions?
Best Answer
I don't think that you would want to keep the mkhomedir.so module from recursively changing all files, since public_html may not be the only folder/file that you have in your skeleton. But as far as I know the module doesn't allow non-recursion or excluding other specific directories from the umask.
You can certainly run a script afterwards to create the public_html directory, or even just modify the permissions of the already created public_html directory using the pam_exec.so module. See: PAM: Execute a command before pam_mkhomedir?
One other thought is that you could investigate changing the group on their home files/folders to a group that only Apache has access to and set the umask to 0026. This would give the Apache group full access to the user's home directory but not other users on the system.