Re: UPG and the default umask
On Thu, 13 May 2010, Charles Plessy wrote:
> found 248140 5.3
> thanks
>
> Dear Santiago,
>
> You probably have seen the discussion about user private groups on
> debian-devel this week:
> [🔎] 4BE830C8.5050009@gmail.com">http://lists.debian.org/msgid-search/[🔎] 4BE830C8.5050009@gmail.com The
> core argument is that since user private groups are not meant to be
> shared, and that therefore an umask of 002 is not creating security
> risk. On the other hand, an umask of 022 is preventing from
> harvesting the benefits of user private groups. See in particular
> the summarry from Russ Allbery:
> [🔎] 87fx1ykjrt.fsf@windlord.stanford.edu">http://lists.debian.org/[🔎] 87fx1ykjrt.fsf@windlord.stanford.edu
>
> I read this bug report (http://bugs.debian.org/248140) and indeed,
> if users have been used that Debian has an umask of 022, perhaps the
> change could be surprising. However, it would not affect existing
> systems. I can propose a patch to the release notes if pepole think
> it would be useful.
Yes, I think this change is important enough to be documented in
release notes. You might want to mention the possible gotchas, like,
for example, performing "scp -p" from a system with umask 002 to a
system without UPG when there are already files with mode 664 floating
around.
> If no stronger objections against a change from 022 to 002 is
> raised, would you agree changing base-files so that /etc/profile
> uses 002 on new systems?
No objection.
In fact, the status of /etc/profile as a "configuration file which is
not a conffile but instead it's created only on new installs" allows us
to change the default to whatever thing we consider more sensible
without worrying too much about the principle of least surprise, as the
change is only in effect on new installs.
Will be done in base-files 5.4.
Thanks.
Reply to: