proper umask default setting / disabling UPGs / release notes / steps to take

To: debian-devel@lists.debian.org
Subject: proper umask default setting / disabling UPGs / release notes / steps to take
From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>
Date: Wed, 26 May 2010 01:26:24 +0200
Message-id: <20100526012624.3b063ed1c.gatzemeier@tu-bs.de@tu-bs.de>
In-reply-to: <20100525220935.201d11b8c.gatzemeier@tu-bs.de@tu-bs.de>
References: <20100525220935.201d11b8c.gatzemeier@tu-bs.de@tu-bs.de>

The umask used to be (and should be again now) settable
centrally. (/etc/login.defs or /etc/default/login LSB?)

Setting the umask in /etc/profile and multiple other rc
files (instead centrally in login.defs) was only necessary while
pam_umask was not available, and to be depreciated.

All the times since 94'
http://lists.debian.org/msgid-search/m0piQuw-0002dGC.ijackson@nyx.cs.du.edu
until PAM was included without support for it, the login package seems
to have done the umask adjustment for UPG users, that pam_umask is
requested to do again, now that it is available.

To disable UPGs you currently need to change two settings, one in
in /etc/login.defs and one in /etc/adduser.conf.


So for a release note draft we can note:

* A link to a (maybe improved version) of the users perspective on
  UPGs. https://wiki.ubuntu.com/MultiUserManagement

* That existing users with UPG will now again get a correct
  UPG-default-umask.

* That since existing users should have been set up with UPGs by the
  debian defaults all the time, this should be no security compromise.

* That a central UMASK setting is now again possible in login.defs that
  can do a much better job than the umask lines in
  existing /etc/profile files etc.

* That all umask settings have to be removed from
  preexisting /etc/profile ~/.bashrc and other shell rc files to take
  advantage from the improvements.

* The option to disabling UPGs alltogether in adduser.conf and
  login.defs.


As for a list of steps to do:

1) remove/comment out any umask settings in all shell configuration
   files shiped in debian (i.e. /etc/profile) and add a comment
   pointing to the right place for the global default umask setting.

   It might be /etc/default/login (LSB?), pam_umask looks at both.

2) Adjust /etc/login.defs:
   Refer to the text from:
   https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/487729)
   
   Correct the comment about USERGROUPS_ENAB (now used by pam_umask).
   
   Or point to /etc/default/login (LSB?), pam_umask looks
   at both.

   UMASK 022 should be set in login.defs or /etc/default/login,
   and pam_umask's usergroups feature should be mentioned in the
   comment.


3) Enable pam_umask by fixing the issues related to the first couple
   of points of the howto at https://wiki.ubuntu.com/MultiUserManagement



If anyone knows where this umask/UPG/multi-user issue is tracked, could
you please add this accordingly?

Kind regards,
Christian

Reply to:

References:
- The story behind UPG and umask.
  - From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>

Prev by Date: Re: RFH: bashisms in configure script
Next by Date: Re: The story behind UPG and umask.
Previous by thread: Re: The story behind UPG and umask.
Next by thread: test if primary group, with only implicit membership of the user?
Index(es):
- Date
- Thread