[Pkg-shadow-devel] Re: summary preparation for technical comittee: setting the umask

C. Gatzemeier c.gatzemeier at tu-bs.de
Tue Oct 4 10:59:40 UTC 2005 

Hi,

your resposes suggested there is now actally pretty much consensus?
Santiago Vila?

Please comment on the fixing and (general login-config-files) documenting 
proposals:


If nobody oposes anymore I could go ahead and file broken down bugreports for
- central setting of the default umask and
- re-enabling UPG complient umask(s) by default
  (done with USERGROUPS_ENAB yes pre PAM)

base-files:
-comment the umask line in /etc/profiles and point to pam-umask's config for 
central configuration.

login:
- comment the umask line
- comment USERGROUPS_ENAB line #282822(patch)
- make default umask setting UPG compliant (002) since we can't rely on 
USERGROUPS_ENAB anymore.

libpam-umask:
- add to base system
- configure for umask 002
- (wishlist) provide an option like login(1)s USERGROUPS_ENAB for UPG 
compliance.


How to go about libpam-umask to be installed by default?

Regards,
Christian

PS:
I tried to gather the info about the various login-config-files.

Please have a look, and maybe you know an appropriate place where this kind of 
info should be maintained:

---
login-config-files:

Environments of entries through login(1) "login(1) shells" are configured by
/etc/login.defs and the user's GECOS entries. Examples:
	- console logins (if not overridden by the shell)
	- things like /usr/sbin/pppd as users shell
	- (sshd logins only when UseLogin enabled)

Note: When login(1) is compiled with PAM (pluggable authentication modules) 
support it leaves several settings for PAM instead of taking those 
from /etc/login.defs.


Entries not through login(1) "non-login(1) shells" are configured by
shells config files, an internal default or undefined.
	- shells entered with ssh (unless sshd has UseLogin enabled)
	- shells started from startup scripts
	- cron/at runns
	- ...?
	
Note: non-login(1) shells, especially ssh logins may consider PAM settings.
(Does PAM cover all shells, cron/at etc.?)



Config files from popular shells that may override login(1) or PAM settings:

All bourne shell compatible instances are overridden with
/etc/profile:
	- bourne shell
	- bash (default linux shell)
	- "su -" user id substitutions
	- also gdm/kdm may (wrongly?) do this (more details?)



Bash instances (default linux shell) are then overridden with
/etc/bash.bashrc and the user specific files:
	login shells with:	~/.bash_profile (sources ~/.bashrc by default)
	non-login shells only:	~/.bashrc



X has xsession files.

KDM or KDE? has some /env dir.

GDM and Gnome have?



Questions:

A return statement disables most of /etc/bash.bashrc and ~/.bashrc for 
non-interacve shells, the comments in the headers state that the entire file 
is only for interactive shells. Is this correct or should it say that the 
part below the return statement is only for interactive shells?


"su" doesn't consider /etc/login.defs' UMASK if compiled with PAM, but does 
change other enviroment variables like $HOME. (Which ones exactly? Does it 
use same code than login(1))
"su -" additionaly reads /etc/profile, and anything else?


Should any display manager or desktop environment source foreign shell files 
like /etc/profile at all?
Some seem to do it at least because incorrect umask settings occured in the 
past.
Part of the reason maybe because (debians) PAM setup does not include 
pam_umask.
Is this solved with PAM *and* pam_umask installed/configured? Should they 
continue to parse /etc/profile?
When DMs where using login(1) (using login.defs) did they have umask issues or 
another need to parse /etc/profile et.al.?

More information about the Pkg-shadow-devel mailing list