[Pkg-shadow-devel] Bug#583971: login.defs: UMASK 022 (and have pam_umask relax it to 002 for private usergroups)

C. Gatzemeier c.gatzemeier at tu-bs.de
Mon May 31 21:27:51 UTC 2010 

Package: login

(Filing this, to track the TODOs from the discussion that followed
http://lists.debian.org/debian-devel/2010/05/msg00887.html)


login.defs should contain UMASK 022 while pam_umask conditionally
relaxes it to 002 for private usergroups. (Like it used to
be before PAM was introduced, without pam_umask support at that
time.)

A UPG usage text: https://wiki.ubuntu.com/MultiUserManagement

Here is a draft for the login.defs comments:

--8<----- cut here ----------
#
# Login configuration initializations:
#
# ERASECHAR Terminal ERASE character ('\010' = backspace).
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
# UMASK Default "umask" value.
#
# The ERASECHAR and KILLCHAR are used only on System V machines.
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
ERASECHAR 0177
KILLCHAR 025
#
# On PAM-enabled systems the UMASK setting in this file is used as a
# global default by pam_umask. (See man pam_umask for global and per
# user overrides.) Setting the umask in any shell rc files
# (i.e. /etc/profile and others) instead of with pam_umask is
# depreciated because they don't catch all classes of user entry
# to the system.
#
# On non-PAM (login) systems setting the umask in shell rc files, in
# addition to the UMASK setting here, can catch some more classes of
# user entries to system. (Logins through su, cron, ssh etc.)
# At the same time, using shell rc files to set umask won't catch cases
# which use non-shell executables in place of a login shell,
# like /usr/sbin/pppd for the "ppp" user and alike.
#
# UMASK 022 is the default value in Debian,
# 027 or even 077 could be considered better for privacy, if
# user private groups (UPGs) have been disabled (see /etc/adduser.conf
# and option USERGROUPS_ENAB below), the home directories have all been
# created with restriced permissions (adduser.conf) and the users in the
# system are not to trust each other to read each other's files
# they created in accessible directories.
# There is no One True Answer here: Each sysadmin must make up his/her
# mind.
#
# Note that with login's USERGROUPS_ENAB feature, or
# with the "usergroups" feature of pam_umask (debian default),
# if a user has been created with a user private group (UPG) that user's
# group permission umask value is adjusted to match the user permission
# value (i.e. 022->002). This enables flawless collaboration for UPG
# users in group directories, without risking a too permissive system
# wide default.
UMASK 022

--8<---------------

More information about the Pkg-shadow-devel mailing list