Package: release-notes Severity: whishlist Tags: squeeze X-Debbugs-CC: debian-devel@lists.debian.org On Sat,15.May.10, 08:41:29, Christian PERRIER wrote: > More generally speaking, this umask change probably deserves to be > mentioned in the Release Notes....along with a good rationale about > why, no, this isn't Debian giving up to years of being security-wise. Suggested text: --- The default 'umask' for new installs is changed =============================================== Starting with base-files version 5.4 the default umask for new installs is 0002 instead of 0022 for regular users (system users, like the ones used for various daemons and services are not affected). The new umask is more useful on systems where normal users are by default members of an own private group, which no other user belongs to. Such a scheme is known as 'User Private Groups' (UPG) and has been the default in Debian for several releases. This change can however create security and/or privacy issues if the system administrator is not aware of it and adds users to the private group of another user. Also, in order to prevent security issues, some software will detect this and refuse to operate when there are other members in the user's private group and relevant files have permissions as created with a umask of 0002. --- Comments welcome. Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
Attachment:
signature.asc
Description: Digital signature