proper umask default setting / disabling UPGs / release notes / steps to take
- To: firstname.lastname@example.org
- Subject: proper umask default setting / disabling UPGs / release notes / steps to take
- From: "C. Gatzemeier" <email@example.com>
- Date: Wed, 26 May 2010 01:26:24 +0200
- Message-id: <firstname.lastname@example.org@tu-bs.de>
- In-reply-to: <email@example.com@tu-bs.de>
- References: <firstname.lastname@example.org@tu-bs.de>
The umask used to be (and should be again now) settable
centrally. (/etc/login.defs or /etc/default/login LSB?)
Setting the umask in /etc/profile and multiple other rc
files (instead centrally in login.defs) was only necessary while
pam_umask was not available, and to be depreciated.
All the times since 94'
until PAM was included without support for it, the login package seems
to have done the umask adjustment for UPG users, that pam_umask is
requested to do again, now that it is available.
To disable UPGs you currently need to change two settings, one in
in /etc/login.defs and one in /etc/adduser.conf.
So for a release note draft we can note:
* A link to a (maybe improved version) of the users perspective on
* That existing users with UPG will now again get a correct
* That since existing users should have been set up with UPGs by the
debian defaults all the time, this should be no security compromise.
* That a central UMASK setting is now again possible in login.defs that
can do a much better job than the umask lines in
existing /etc/profile files etc.
* That all umask settings have to be removed from
preexisting /etc/profile ~/.bashrc and other shell rc files to take
advantage from the improvements.
* The option to disabling UPGs alltogether in adduser.conf and
As for a list of steps to do:
1) remove/comment out any umask settings in all shell configuration
files shiped in debian (i.e. /etc/profile) and add a comment
pointing to the right place for the global default umask setting.
It might be /etc/default/login (LSB?), pam_umask looks at both.
2) Adjust /etc/login.defs:
Refer to the text from:
Correct the comment about USERGROUPS_ENAB (now used by pam_umask).
Or point to /etc/default/login (LSB?), pam_umask looks
UMASK 022 should be set in login.defs or /etc/default/login,
and pam_umask's usergroups feature should be mentioned in the
3) Enable pam_umask by fixing the issues related to the first couple
of points of the howto at https://wiki.ubuntu.com/MultiUserManagement
If anyone knows where this umask/UPG/multi-user issue is tracked, could
you please add this accordingly?