[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

proper umask default setting / disabling UPGs / release notes / steps to take

The umask used to be (and should be again now) settable
centrally. (/etc/login.defs or /etc/default/login LSB?)

Setting the umask in /etc/profile and multiple other rc
files (instead centrally in login.defs) was only necessary while
pam_umask was not available, and to be depreciated.

All the times since 94'
until PAM was included without support for it, the login package seems
to have done the umask adjustment for UPG users, that pam_umask is
requested to do again, now that it is available.

To disable UPGs you currently need to change two settings, one in
in /etc/login.defs and one in /etc/adduser.conf.

So for a release note draft we can note:

* A link to a (maybe improved version) of the users perspective on
  UPGs. https://wiki.ubuntu.com/MultiUserManagement

* That existing users with UPG will now again get a correct

* That since existing users should have been set up with UPGs by the
  debian defaults all the time, this should be no security compromise.

* That a central UMASK setting is now again possible in login.defs that
  can do a much better job than the umask lines in
  existing /etc/profile files etc.

* That all umask settings have to be removed from
  preexisting /etc/profile ~/.bashrc and other shell rc files to take
  advantage from the improvements.

* The option to disabling UPGs alltogether in adduser.conf and

As for a list of steps to do:

1) remove/comment out any umask settings in all shell configuration
   files shiped in debian (i.e. /etc/profile) and add a comment
   pointing to the right place for the global default umask setting.

   It might be /etc/default/login (LSB?), pam_umask looks at both.

2) Adjust /etc/login.defs:
   Refer to the text from:
   Correct the comment about USERGROUPS_ENAB (now used by pam_umask).
   Or point to /etc/default/login (LSB?), pam_umask looks
   at both.

   UMASK 022 should be set in login.defs or /etc/default/login,
   and pam_umask's usergroups feature should be mentioned in the

3) Enable pam_umask by fixing the issues related to the first couple
   of points of the howto at https://wiki.ubuntu.com/MultiUserManagement

If anyone knows where this umask/UPG/multi-user issue is tracked, could
you please add this accordingly?

Kind regards,

Reply to: