Re: UPG and the default umask

[Harald Braumann <harry@unheit.net>]

On Mon, May 17, 2010 at 01:04:22PM +0200, Bastien ROUCARIES wrote:
> On Mon, May 17, 2010 at 12:26 PM, Harald Braumann <harry@unheit.net> wrote:
> > On Thu, May 13, 2010 at 11:48:19AM +0200, Santiago Vila wrote:
> >
> >> Will be done in base-files 5.4.
> >
> > I think that this change was done prematurely. There is still the
> > issue of a Debian system running in a non-UPG environment. And so far
> > I haven't seen a resolution for this point in the discussion.
> 
> I believe the pam umask module is the way to go according to
> http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_umask.html

Fair enough ...

>  [opition] usergroups
> 
>     If the user is not root, and the user ID is equal to the group ID,
> and the username is the same as primary group name, the umask group
> bits are set to be the same as owner bits (examples: 022 -> 002, 077
> -> 007).

... but that's the problem. User and group names/IDs are completely
independent from one another and from the group regime emplyed. By no
stretch of imagination can I see how you could deduce the group regime
of a system from those.

- you could have a UPG system but a mismatch of IDs -> wrong umask
- you could have a non-UPG system but a user's name and ID happen to
  match those of the group -> wrong umask
- you could add more layers and check, e.g., if the user is the only
  member in the group. but more users could be added later making the
  first user's files writeable by those.

No matter how much clever logic you put in there, there is simply no
way to make this work reliably because it's based on wrong assumption.

Computer programmes work best when they are based on sound logic. Let's
not part with this tradition. Let's keep the umask fixed at 022 and let
the user change it if he wants.

Cheers,
harry