Re: UPG and the default umask

To: debian-devel@lists.debian.org
Subject: Re: UPG and the default umask
From: Charles Plessy <plessy@debian.org>
Date: Wed, 12 May 2010 09:21:01 +0900
Message-id: <[🔎] 20100512002101.GA9625@kunpuu.plessy.org>
In-reply-to: <[🔎] 4BE8371A.6090901@gmail.com>
References: <[🔎] 4BE8371A.6090901@gmail.com>

Le Mon, May 10, 2010 at 10:40:58AM -0600, Aaron Toponce a écrit :
> On 5/10/2010 10:23 AM, Julien Cristau wrote:
> > On Mon, May 10, 2010 at 10:14:00 -0600, Aaron Toponce wrote:
> > Are there reasons for making the switch?  With user groups, umask 002 or
> > 022 doesn't make a difference.  To switch off user groups, you set
> > USERGROUPS=no in adduser.conf, and that's it.
> 
> The biggest reason for making the change is when group collaboration
> becomes a necessity. Suppose you have an 'devel' group on the system,
> and a central directory where the collaboration happens. Because of the
> default umask value being '0022', the users must make sure that they
> have 'umask 0002' in their shell rc file, or as appropriate, or they
> must be constantly calling chmod to change the group permissions when
> new files are created. If the default umask is '0002' on a UPG system,
> then this checklist item doesn't need to be worried about.

Dear all,

I agree with the above. See for instance the case of Alioth, where many
documented operations start with ‘umask 002’:
http://www.google.com/search?q=alioth+"umask+002";

If this umask is the convention in most other unix systems that use private
user groups by default, perhaps we should follow the priciple of least
surprise and adopt the same default. On the other hand, the priciple
of least surprise has also been invoked against having an umask of 002,
in http://bugs.debian.org/248140.

The default of 022 is also not completely in line with the Securing Debian Manual:
‘Debian's scheme solves this problem by assigning each user to their own group;
so that with a proper umask (0002) and the SETGID bit set on a given project
directory, the correct group is automatically assigned to files created in that
directory. This makes it easier for people who work on multiple projects,
because they will not have to change groups or umasks when working on shared
files.’
http://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html#s12.1.13

The decision of using 022 as a default umask seems to have been taken in 1994,
after discussions that I did not have time to read this morning:
http://lists.debian.org/debian-user/1994/03/msg00105.html
(and other off-thread messages in http://lists.debian.org/debian-user/1994/03/threads.html)
Perhaps 16 years later, in light of the experience accumulated in Debian and in the
other distributions, we can re-think the default in Debian, that seems to be
at odds with current practices?

Have a nice day,

-- 
Charles Plessy
Tsurumi, Kanagawa, Japan

Reply to:

References:
- Re: UPG and the default umask
  - From: Aaron Toponce <aaron.toponce@gmail.com>

Prev by Date: Re: chromium-browser from experimental has included h.264 by default?
Next by Date: Re: UPG and the default umask
Previous by thread: Re: UPG and the default umask
Next by thread: Re: UPG and the default umask
Index(es):
- Date
- Thread