Package: login Version: 1:4.1.4.2-1 First, a discussion about this bug on the debian-devel mailing list [1]. This affects unstable, testing and stable.
To summarize: Debian uses user private groups (UPG) by default. This places each user on the system in their own default, private group, that no one else is, or should be, a member of. However, the default umask value for Debian is '0022'. The old umask value comes from historical UNIX, where every user on the system was placed in a "users" group. Thus, the write bit needed to be removed from the group, to keep others from modifying personal files. The discussion on the mailing list seems to be largely in favor of making the change. Some favorable points brought up were: * umask '0002' is default on most UNIX systems that use UPG * Group collaboration means setting the SGID bit on directories, for the appropriate group to be set on new files/dirs, but the write bit is always missing in the group mode. Setting the default umask to '0002' would fix this. * According to [2], setting the umask to '0002' is recommended. * Previous discussion here [3] and here [4]. * UPG without umask '0002' is pointless. We might as well be using the 'users' group. * Our default setup of UPG with 'umask 0022' doesn't make sense. It's broken Those who seemed to not favor the change (correct me if I'm wrong), brought up the following points: * FACLs can fix any filesystem permission problem. For group collaboration, FACLs should be, and usually are, used. * 'umask 0002' and 'umask 0022' is not secure enough. The default umask should be '0077' instead, increasing security of the system. * PAM should be configured to make these changes rather than changing the umask value. For points of comparison, the following UNIX-like operating systems implement UPG and 'umask 0002': * Red Hat Enterprise Linux [5] * Fedora * CentOS * Oracle Enterprise Linux The following systems still use the older historical "users" group with 'umask 0022': * openSUSE * SUSE Enterprise Desktop * SUSE Enterprise Server * Slackware * HP-UX * Solaris The following systems use UPG with 'umask 0022': * FreeBSD * OpenBSD * NetBSD * Ubuntu * Arch Other implementations: * Mac OS X (places the user in the 'staff' group, and the root user in the 'admin' group. default umask is 0022) * Open Solaris (places the user in the 'staff' group, and the root user in the 'root' group. default umask is 0022) [1] http://lists.debian.org/debian-devel/2010/05/msg00252.html [2] http://preview.tinyurl.com/3anklq9 [3] http://lists.debian.org/debian-user/1994/03/msg00105.html [4] http://lists.debian.org/debian-user/1994/03/threads.html [5] http://preview.tinyurl.com/2dambk2 Additional references: * http://preview.tinyurl.com/3xzs2fe * http://preview.tinyurl.com/55amty -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O
signature.asc
Description: OpenPGP digital signature
