[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#581729: [SQUEEZE] Document the umask change for new installs

Package: release-notes
Severity: whishlist
Tags: squeeze
X-Debbugs-CC: debian-devel@lists.debian.org

On Sat,15.May.10, 08:41:29, Christian PERRIER wrote:
> More generally speaking, this umask change probably deserves to be
> mentioned in the Release Notes....along with a good rationale about
> why, no, this isn't Debian giving up to years of being security-wise.

Suggested text:

The default 'umask' for new installs is changed

Starting with base-files version 5.4 the default umask for new installs 
is 0002 instead of 0022 for regular users (system users, like the ones 
used for various daemons and services are not affected).

The new umask is more useful on systems where normal users are by 
default members of an own private group, which no other user belongs to.  
Such a scheme is known as 'User Private Groups' (UPG) and has been the 
default in Debian for several releases.

This change can however create security and/or privacy issues if the 
system administrator is not aware of it and adds users to the private 
group of another user. Also, in order to prevent security issues, some 
software will detect this and refuse to operate when there are other 
members in the user's private group and relevant files have permissions 
as created with a umask of 0002.

Comments welcome.

Offtopic discussions among Debian users and developers:

Attachment: signature.asc
Description: Digital signature

Reply to: