Re: [Pkg-shadow-devel] Bug#711104: login: su - doesn't set umask

To: Andreas Henriksson <andreas@fatal.se>
Cc: Christian PERRIER <bubulle@debian.org>, Piotr Engelking <inkerman42@gmail.com>, 711104@bugs.debian.org, debian-edu@lists.debian.org, Steve Langasek <vorlon@debian.org>, Martin Pitt <mpitt@debian.org>
Subject: Re: [Pkg-shadow-devel] Bug#711104: login: su - doesn't set umask
From: Petter Reinholdtsen <pere@hungry.com>
Date: Mon, 13 Aug 2018 23:32:29 +0200
Message-id: <[🔎] sa6wosuc5qq.fsf@meta.reinholdtsen.name>
In-reply-to: <[🔎] 20180813195108.hfjzyty5rfr25h7z@fatal.se>
References: <CAGHZ3h105L36toq8_=tn269b7t-Nr3jt3QskTNnwQD5yvBV2Fw@mail.gmail.com> <20130605050029.GE20564@mykerinos.kheops.frmug.org> <20180812043740.jvh52x45q3tfm6vv@fatal.se> <20180813175706.GA3164@hjemme.reinholdtsen.name> <[🔎] 20180813195108.hfjzyty5rfr25h7z@fatal.se>

[Andreas Henriksson]
> (Please note, I've only looked quickly but it seems like
> USERGROUPS_ENAB option is only used by useradd/userdel and not any
> other tool like su or login implementations in src:shadow. Given we
> tend to use adduser rather than the lower level useradd/userdel tools
> in debian, I'm not sure how relevant it is at all to mix up pam_umask
> usergroups with USERGROUPS_ENAB.)

I do not understand how USERGROUPS_ENAB would be relevant for su or
login.  Care to explain?  The way I understand it, it would only be
relevant for the mechanism creating home directories and users, and the
mechanism setting umask during login (aka PAM).

> Given a decade has passed without this being handled in Debian
> (despite our PAM usage for as long) and we're now moving away from
> src:shadow implementations, I don't think it makes sense to patch
> things to read USERGROUPS_ENAB option which isn't supported anywhere
> in eg. util-linux implementations which also reads
> /etc/login.defs. I'd suggest we instead deprecate the USERGROUPS_ENAB
> option in /etc/login.defs.

I did not quite understand this rationale.  The fact that the default
Debian setup has been less than useful for a decade is no reason not to
fix it now. :)

> JFTR, If common-session gets this setting then su would also given it
> includes common-session.

Good point.

> Setting the pam bug as a blocker for now, but likely this bug report
> should just be reassigned, (force)merged and set as affects util-linux,
> et.al.

To me it seem more sensible to submit the patch to 
<URL: https://github.com/linux-pam/linux-pam/ > and try to get it into
upstream as soon as possible.

> Question remains though how we get some movement on the pam side, should
> we just NMU it? Do most people agree we should just use 'usergroups'
> rather than go the ubuntu way of USERGROUPS_ENAB setting?

A useful usecase to consider is a site with a LDAP directory with
thousands of users, and home directories on a central server, using some
configuration management system to control a large set of computers.  In
such setting, I suspect it will be easier to change the USERGROUPS_ENAB
setting in /etc/login.defs than to modify the content of
/usr/share/pam-configs/ by providing a replacement debian package to
override the default pam.d configuration.  This make me suspect the
current ubuntu way is better than the 'usergroups' approach.  I suggest
to ask Steve about his view on this, as he know PAM a lot better than
me.

Cc to Steve and Martin, hoping they can provide useful input.

-- 
Happy hacking
Petter Reinholdtsen

Reply to:

Follow-Ups:
- Re: [Pkg-shadow-devel] Bug#711104: login: su - doesn't set umask
  - From: Andreas Henriksson <andreas@fatal.se>

References:
- Re: [Pkg-shadow-devel] Bug#711104: login: su - doesn't set umask
  - From: Andreas Henriksson <andreas@fatal.se>

Prev by Date: Re: [Pkg-shadow-devel] Bug#711104: login: su - doesn't set umask
Next by Date: Re: [Pkg-shadow-devel] Bug#711104: login: su - doesn't set umask
Previous by thread: Re: [Pkg-shadow-devel] Bug#711104: login: su - doesn't set umask
Next by thread: Re: [Pkg-shadow-devel] Bug#711104: login: su - doesn't set umask
Index(es):
- Date
- Thread