Enable umask hardening

README.md

@@ -573,9 +573,7 @@ See:
 #### umask
 
 Default `umask` is set to `027` for files created by non-root users such as
-user `user`. Broken. Disabled. See:
-
-* https://github.com/Kicksecure/security-misc/issues/184
+user `user`.
 
 This is done using the PAM module `pam_mkhomedir.so umask=027`.
 
@@ -589,7 +587,13 @@ https://wiki.debian.org/UserPrivateGroups
 
 Default `umask` is unchanged for root because then configuration files created
 in `/etc` by the system administrator would be unreadable by "others" and break
-applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`.
+applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`. The
+`umask` is also set to 022 via `sudoers` configuration, so that files created
+as root are world-readable even when using commands such as `sudo vi
+/etc/file` or `sudo -i; touch /etc/file`.
+
+`umask` is set to 022 rather than 027 when using `sudo`, so that commands such
+as `sudo vi /etc/configfile` and `sudo -i; touch /etc/file`
 
 See:
 

etc/sudoers.d/security-misc

@@ -3,3 +3,8 @@
 
 user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
 %sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
+
+## Use a more open umask when executing commands with sudo
+## Can be overridden on a per-user basis using .[z]profile if desirable
+Defaults umask_override
+Defaults umask=0022

usr/share/pam-configs/umask-security-misc

@@ -0,0 +1,8 @@
+Name: Restrict umask to 027 (by package security-misc)
+Default: yes
+Priority: 100
+Session-Type: Additional
+Session-Interactive-Only: yes
+Session:
+	[success=1 default=ignore]	pam_succeed_if.so uid eq 0
+	optional	pam_umask.so umask=027