Re: [Pkg-shadow-devel] Bug#711104: login: su - doesn't set umask

To: Petter Reinholdtsen <pere@hungry.com>
Cc: Christian PERRIER <bubulle@debian.org>, Piotr Engelking <inkerman42@gmail.com>, 711104@bugs.debian.org, debian-edu@lists.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#711104: login: su - doesn't set umask
From: Andreas Henriksson <andreas@fatal.se>
Date: Mon, 13 Aug 2018 21:51:08 +0200
Message-id: <[🔎] 20180813195108.hfjzyty5rfr25h7z@fatal.se>
In-reply-to: <20180813175706.GA3164@hjemme.reinholdtsen.name>
References: <CAGHZ3h105L36toq8_=tn269b7t-Nr3jt3QskTNnwQD5yvBV2Fw@mail.gmail.com> <20130605050029.GE20564@mykerinos.kheops.frmug.org> <20180812043740.jvh52x45q3tfm6vv@fatal.se> <20180813175706.GA3164@hjemme.reinholdtsen.name>

Control: block -1 by 583958

Hello Petter Reinholdtsen,

Thanks for your input on this.

On Mon, Aug 13, 2018 at 07:57:06PM +0200, Petter Reinholdtsen wrote:
[...]
>         optional                        pam_umask.so umask=002
> 
> Perhaps the default setup should have a similar line?  I see from the
> pam_umask manual page a new 'usergroups' option is now available.
[...]

I got inspired and looked around and found these interesting things
related to pam_umask and usergroups:

https://bugs.launchpad.net/ubuntu/+source/pam/+bug/253096
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583958

Apparently ubuntu patches things in pam to basically use "pam_umask.so
usergroups" except they deprecate usergroups in favour of reading the
pre-pam (src:shadow only?) USERGROUPS_ENAB option in /etc/login.defs
(which ships as set to yes).
The Ubuntu bits has ofcourse also never made it into Debian.

(Please note, I've only looked quickly but it seems like USERGROUPS_ENAB
option is only used by useradd/userdel and not any other tool like su or
login implementations in src:shadow. Given we tend to use adduser rather
than the lower level useradd/userdel tools in debian, I'm not sure how
relevant it is at all to mix up pam_umask usergroups with
USERGROUPS_ENAB.)

Given a decade has passed without this being handled in Debian (despite
our PAM usage for as long) and we're now moving away from src:shadow
implementations, I don't think it makes sense to patch things to read
USERGROUPS_ENAB option which isn't supported anywhere in eg. util-linux
implementations which also reads /etc/login.defs. I'd suggest we instead
deprecate the USERGROUPS_ENAB option in /etc/login.defs.

JFTR, If common-session gets this setting then su would also given it
includes common-session.

Setting the pam bug as a blocker for now, but likely this bug report
should just be reassigned, (force)merged and set as affects util-linux,
et.al.

Question remains though how we get some movement on the pam side, should
we just NMU it? Do most people agree we should just use 'usergroups'
rather than go the ubuntu way of USERGROUPS_ENAB setting?

Regards,
Andreas Henriksson

Reply to:

Follow-Ups:
- Re: [Pkg-shadow-devel] Bug#711104: login: su - doesn't set umask
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: Bug#905006: debian-edu: suggesting to add 3 new packages based on education level
Next by Date: Re: [Pkg-shadow-devel] Bug#711104: login: su - doesn't set umask
Previous by thread: debian-edu-config_2.10.34_source.changes ACCEPTED into unstable
Next by thread: Re: [Pkg-shadow-devel] Bug#711104: login: su - doesn't set umask
Index(es):
- Date
- Thread