Bug#1111714: release-notes: Trixie enables pam_umask usergroups, which changes umask from 0022 to 0002

[Richard Lewis <richard.lewis.debian@googlemail.com>]

On Thu, 21 Aug 2025 at 12:27, Daniel Lewart <lewart3@gmail.com> wrote:

> Trixie enables pam_umask usergroups by default, which changes the typical
> umask from 0022 to 0002.

> This was quite a surprise to me and is not documented in the Release Notes.

Perhaps someone could suggest some text -- i suggest answering the following:

* what is the new default umask in trixie
 -- if this is different for new/upgraded systems say what these are
 -- if there are differences for login via console/ssh say what they are
* what was the default in bookworm
* what are the main consequences
* what file(s) should be edited to change the default
* link to some generic explanation of terms like umask, usergroups,
permissions (the wiki has some of this)


none of this seems to be documented anywhere in simple terms, as far
as i can find

als /etc/skel/.profile wrongly claims a default of 022 is set in
/etc/profile -- nothing is in /etc/profile or /etc/login.defs any more

neither umask(2) not pam_umask(8) say what the default is, and
https://www.debian.org/doc/debian-policy/search.html?q=umask has
nothing to say

https://wiki.debian.org/Debate/umask suggests it is complicated, but
doesnt give a clear explanation

/usr/share/doc/libpam-modules/NEWS.Debian.gz has something about
usergroups but it's not very informative