From 04d1677ed023807a3a0c53debb8f6460a2154bfa Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Wed, 24 Jan 2024 10:55:12 +0000
Subject: [PATCH 1/3] Create 30_security-misc-umask.sh

---
 etc/profile.d/30_security-misc-umask.sh | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 etc/profile.d/30_security-misc-umask.sh

diff --git a/etc/profile.d/30_security-misc-umask.sh b/etc/profile.d/30_security-misc-umask.sh
new file mode 100644
index 00000000..a007de79
--- /dev/null
+++ b/etc/profile.d/30_security-misc-umask.sh
@@ -0,0 +1,6 @@
+if [ "$(id -u)" -eq 0 ]
+then
+    umask 077
+else
+    umask 022
+fi

From 74b46fe20cbe5e2401f866def8fd30aa7fb49416 Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Wed, 24 Jan 2024 10:57:37 +0000
Subject: [PATCH 2/3] Update mkhomedir-security-misc

---
 usr/share/pam-configs/mkhomedir-security-misc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/usr/share/pam-configs/mkhomedir-security-misc b/usr/share/pam-configs/mkhomedir-security-misc
index 326013c0..b246ea03 100644
--- a/usr/share/pam-configs/mkhomedir-security-misc
+++ b/usr/share/pam-configs/mkhomedir-security-misc
@@ -4,4 +4,4 @@ Priority: 100
 Session-Type: Additional
 Session-Interactive-Only: yes
 Session:
-	optional	pam_mkhomedir.so umask=027
+	optional	pam_mkhomedir.so umask=0077

From 420992abce6049bede3b8443c9fc824bfc5d974d Mon Sep 17 00:00:00 2001
From: monsieuremre <130907164+monsieuremre@users.noreply.github.com>
Date: Wed, 24 Jan 2024 10:58:23 +0000
Subject: [PATCH 3/3] Create umask-security-misc

---
 usr/share/pam-configs/umask-security-misc | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 usr/share/pam-configs/umask-security-misc

diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc
new file mode 100644
index 00000000..70e6d140
--- /dev/null
+++ b/usr/share/pam-configs/umask-security-misc
@@ -0,0 +1,8 @@
+Name: Restrict umask to 0077 (by package security-misc)
+Default: yes
+Priority: 100
+Session-Type: Additional
+Session-Interactive-Only: yes
+Session:
+	[success=1 default=ignore]	pam_succeed_if.so uid eq 0
+	optional	pam_umask.so umask=0077