Re: The story behind UPG and umask.

To: debian-devel@lists.debian.org
Subject: Re: The story behind UPG and umask.
From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>
Date: Fri, 28 May 2010 00:15:17 +0200
Message-id: <20100528001517.29cea841c.gatzemeier@tu-bs.de@tu-bs.de>
In-reply-to: <[🔎] 20100527093534.GC3336@kinakuta.local>
References: <[🔎] 20100525205411.GD27165@nighthawk.chemicalconnection.dyndns.org> <[🔎] 20100525223049.GB31740@hadrian.lobefin.net> <[🔎] 20100525234321.GA16319@dario.dodds.net> <[🔎] 20100526074026.GA22877@hadrian.lobefin.net> <[🔎] 20100526120049.GK16213@codelibre.net> <[🔎] 20100526122243.GB2974@nighthawk.chemicalconnection.dyndns.org> <[🔎] 20100526170532.GA11553@codelibre.net> <[🔎] 20100526224312.GA14837@hadrian.lobefin.net> <[🔎] 20100527093534.GC3336@kinakuta.local>

Am Thu, 27 May 2010 11:35:34 +0200
schrieb Wolodja Wentland:

>  why not make the decision to use UPG explicit by setting
> "UPG = True"

I would say UPGs are already explicitly used.

If your UPG = True means that newly created users are created with user
private groups, than that is "USERGROUPS=yes" in adduser.conf.
This UPG usage prerequisite, has been a debian default since 94'
according to an old thread that was mentioned.

If by UPG = True you refer to being conservative and relaxing the umask
only for users that are created with certain characteristics that
indicate that they really have been created with private user groups,
thatn that used to be "USERGROUPS_ENAB yes" in login.defs until PAM was
introduced whithout support for it, at that time, and broke it. Now
pam_umask is available and takes the option "usergroups" when called
from a pam.d/ config file (it could probably be patched to read
login.defs).

If by UPG = True you refer to setting a system wide default 
(relaxed) umask 002 (and risking to do to much to exsiting users or
users on other systems authenticating agains the debian system), that
used to be UMASK 002 in login.defs before PAM, with PAM "umask
002" had to be called from each shell rc file used, but now, if we
activate pam_umask, it will read UMASK 022 from login.defs again (and
relax it conditionally).

Reply to:

Follow-Ups:
- Re: The story behind UPG and umask.
  - From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>

References:
- Re: The story behind UPG and umask.
  - From: Michael Banck <mbanck@debian.org>
- Re: The story behind UPG and umask.
  - From: Stephen Gran <sgran@debian.org>
- Re: The story behind UPG and umask.
  - From: Steve Langasek <vorlon@debian.org>
- Re: The story behind UPG and umask.
  - From: Stephen Gran <sgran@debian.org>
- Re: The story behind UPG and umask.
  - From: Roger Leigh <rleigh@codelibre.net>
- Re: The story behind UPG and umask.
  - From: Michael Banck <mbanck@debian.org>
- Re: The story behind UPG and umask.
  - From: Roger Leigh <rleigh@codelibre.net>
- Re: The story behind UPG and umask.
  - From: Stephen Gran <sgran@debian.org>
- Re: The story behind UPG and umask.
  - From: Wolodja Wentland <wentland@cl.uni-heidelberg.de>

Prev by Date: Re: Let's write a system admin friendly mail server packaging system
Next by Date: Re: The story behind UPG and umask.
Previous by thread: Re: The story behind UPG and umask.
Next by thread: Re: The story behind UPG and umask.
Index(es):
- Date
- Thread