Bug#1111714: release-notes: Trixie enables pam_umask usergroups, which changes umask from 0022 to 0002

To: Richard Lewis <richard.lewis.debian@googlemail.com>, 1111714@bugs.debian.org
Cc: Daniel Lewart <lewart3@gmail.com>, pfoo@unscdf.org
Subject: Bug#1111714: release-notes: Trixie enables pam_umask usergroups, which changes umask from 0022 to 0002
From: Chris Hofstaedtler <zeha@debian.org>
Date: Sun, 4 Jan 2026 15:12:34 +0100
Message-id: <[🔎] aVp1UojrzTQT1V3h@per.namespace.at>
Reply-to: Chris Hofstaedtler <zeha@debian.org>, 1111714@bugs.debian.org
In-reply-to: <[🔎] CAJ3BuoQpSjZ+NT=mTNgEgUvcho5C0Zq3RLDSpmMHa=chf2gHcQ@mail.gmail.com>
References: <175577550037.691177.6604245037333302107.reportbug@coffee.vetmed.illinois.edu> <175577550037.691177.6604245037333302107.reportbug@coffee.vetmed.illinois.edu> <[🔎] CAJ3BuoQpSjZ+NT=mTNgEgUvcho5C0Zq3RLDSpmMHa=chf2gHcQ@mail.gmail.com> <175577550037.691177.6604245037333302107.reportbug@coffee.vetmed.illinois.edu>

On Fri, Jan 02, 2026 at 06:22:30PM +0000, Richard Lewis wrote:
> /usr/share/doc/libpam-modules/NEWS.Debian.gz has something about
> usergroups but it's not very informative

That file however answers a lot of the following questions. Let me 
copy it here:

|    Starting with PAM version 1.5.3, Debian supports usergroups for default
|    umask of users logging in.  If the primary group name of a user
|    matches their primary user name (user pat's default group is also
|    called pat), then files will be group writable by default. To disable
|    this use a group name that differs from the user name or add
|    nousergroups to the pam_umask line in
|    /etc/pam.d/common-session and
|    /etc/pam.d/common-session-noninteractive:
|
|    session optional            pam_umask.so nousergroups
|
|
| -- Sam Hartman <hartmans@debian.org>  Mon, 08 Apr 2024 16:15:58 -0600

> * what is the new default umask in trixie
>  -- if this is different for new/upgraded systems say what these are
>  -- if there are differences for login via console/ssh say what they are

This is not answered directly, but the advice for disabling is to 
edit both common-session and common-session-noninteractive, so one 
can reasonable assume it applies to all PAM sessions. If you have a 
session that is not managed by PAM, you are on your own anyway.

For the actual default, per the explanation it depends on your 
primary group name.

> * what was the default in bookworm

Unclear. The default in bookworm depended on different things, IIRC.

> * what are the main consequences

See above:

|                                If the primary group name of a user
|    matches their primary user name (user pat's default group is also
|    called pat), then files will be group writable by default.

> * what file(s) should be edited to change the default

See above:

|                                                               To disable
|    this use a group name that differs from the user name or add
|    nousergroups to the pam_umask line in
|    /etc/pam.d/common-session and
|    /etc/pam.d/common-session-noninteractive:
|
|    session optional            pam_umask.so nousergroups

C.

Reply to:

References:
- Bug#1111714: release-notes: Trixie enables pam_umask usergroups, which changes umask from 0022 to 0002
  - From: Richard Lewis <richard.lewis.debian@googlemail.com>

Prev by Date: Bug#1111714: release-notes: Trixie enables pam_umask usergroups, which changes umask from 0022 to 0002
Next by Date: Bug#1124838: release-notes: 5.1.2. Reduced support for i386: provides incorrect information
Previous by thread: Bug#1111714: release-notes: Trixie enables pam_umask usergroups, which changes umask from 0022 to 0002
Next by thread: Bug#1124838: release-notes: 5.1.2. Reduced support for i386: provides incorrect information
Index(es):
- Date
- Thread