Hello, I'm interested in seeing this issue fixed, or atleast the sane-defaults part of it.
(I also happen to have a general view that defaults should be built-in defaults, not overridden-builtin-defaults-by-shipping-a-conffile-defaults.) Fixing the core issue here seems to have gotten stuck on where the configuration should live. I'd rather see no configuration by default and just have a sane built-in default. Upstream seems to have agreed that supporting setting the default at compile-time is a good idea, so support for a --enable-usergroups configure flag has been added upstream in commit 41e2c34bd01932fe55a32b3aa94ab https://github.com/linux-pam/linux-pam/commit/41e2c34bd01932fe55a32b3aa94aba5c0f9d2343 Hopefully noone sees a problem with cherry-picking this commit and using the --enable-usergroups configure flag in the debian packaging, which would let Debian users finally have a working out-of-the-box experience with pam_umask. The discussion about where the configuration should live for those who want to override the default can continue separately without blocking having a sane default setting. I suspect very few people are actually interested in overriding this setting (and any previous interest is basically from those who wanted to fix the buggy default as shipped in Debian). (See also supplementary commits: https://github.com/linux-pam/linux-pam/commit/b92d8459e788233223e328ab0e79980e3cd44d97 https://github.com/linux-pam/linux-pam/commit/fe93034d2a9b2f1f7a677e8d49a6da2e9dce9cb1 These was requested by upstream and Debian maintainers might decide to also take these to allow disabling usergroups once enabled by default, or to carry the previously discussed login.defs patch which would also allow disabling usergroups. ) Please let me know if the above is satisfactory and if you'd like me to send a merge-request for an updated packaging! If you happen to see any other outstanding issues you think are blockers for this please also let me know about those! Regards, Andreas Henriksson
