Use pam_umask.so in common-session{-noninteractive}

This resets the umask when creating a new session to the default
value instead of possibly inheriting the umask,
eg. when using 'su -'.

Closes: #711104

2 files changed, 4 insertions, 0 deletions

diff --git a/debian/local/common-session b/debian/local/common-session
index 2e94d6c7..4125ec41 100644
--- a/debian/local/common-session
+++ b/debian/local/common-session
@@ -20,6 +20,8 @@ session	requisite			pam_deny.so
 # this avoids us returning an error just because nothing sets a success code
 # since the modules above will each just jump around
 session	required			pam_permit.so
+# reset the umask for new sessions
+session optional			pam_umask.so
 # and here are more per-package modules (the "Additional" block)
 $session_additional
 # end of pam-auth-update config
diff --git a/debian/local/common-session-noninteractive b/debian/local/common-session-noninteractive
index 1dd1a172..d216f6ed 100644
--- a/debian/local/common-session-noninteractive
+++ b/debian/local/common-session-noninteractive
@@ -20,6 +20,8 @@ session	requisite			pam_deny.so
 # this avoids us returning an error just because nothing sets a success code
 # since the modules above will each just jump around
 session	required			pam_permit.so
+# reset the umask for new sessions
+session optional			pam_umask.so
 # and here are more per-package modules (the "Additional" block)
 $session_nonint_additional
 # end of pam-auth-update config