proper umask default setting / disabling UPGs / release notes / steps to take
- To: debian-devel@lists.debian.org
- Subject: proper umask default setting / disabling UPGs / release notes / steps to take
- From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>
- Date: Wed, 26 May 2010 01:26:24 +0200
- Message-id: <20100526012624.3b063ed1c.gatzemeier@tu-bs.de@tu-bs.de>
- In-reply-to: <20100525220935.201d11b8c.gatzemeier@tu-bs.de@tu-bs.de>
- References: <20100525220935.201d11b8c.gatzemeier@tu-bs.de@tu-bs.de>
The umask used to be (and should be again now) settable
centrally. (/etc/login.defs or /etc/default/login LSB?)
Setting the umask in /etc/profile and multiple other rc
files (instead centrally in login.defs) was only necessary while
pam_umask was not available, and to be depreciated.
All the times since 94'
http://lists.debian.org/msgid-search/m0piQuw-0002dGC.ijackson@nyx.cs.du.edu
until PAM was included without support for it, the login package seems
to have done the umask adjustment for UPG users, that pam_umask is
requested to do again, now that it is available.
To disable UPGs you currently need to change two settings, one in
in /etc/login.defs and one in /etc/adduser.conf.
So for a release note draft we can note:
* A link to a (maybe improved version) of the users perspective on
UPGs. https://wiki.ubuntu.com/MultiUserManagement
* That existing users with UPG will now again get a correct
UPG-default-umask.
* That since existing users should have been set up with UPGs by the
debian defaults all the time, this should be no security compromise.
* That a central UMASK setting is now again possible in login.defs that
can do a much better job than the umask lines in
existing /etc/profile files etc.
* That all umask settings have to be removed from
preexisting /etc/profile ~/.bashrc and other shell rc files to take
advantage from the improvements.
* The option to disabling UPGs alltogether in adduser.conf and
login.defs.
As for a list of steps to do:
1) remove/comment out any umask settings in all shell configuration
files shiped in debian (i.e. /etc/profile) and add a comment
pointing to the right place for the global default umask setting.
It might be /etc/default/login (LSB?), pam_umask looks at both.
2) Adjust /etc/login.defs:
Refer to the text from:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/487729)
Correct the comment about USERGROUPS_ENAB (now used by pam_umask).
Or point to /etc/default/login (LSB?), pam_umask looks
at both.
UMASK 022 should be set in login.defs or /etc/default/login,
and pam_umask's usergroups feature should be mentioned in the
comment.
3) Enable pam_umask by fixing the issues related to the first couple
of points of the howto at https://wiki.ubuntu.com/MultiUserManagement
If anyone knows where this umask/UPG/multi-user issue is tracked, could
you please add this accordingly?
Kind regards,
Christian
Reply to: