Hello all, C. Gatzemeier [2010-05-31 22:57 +0200]: > Enabling "pam_umask usergroups" (now that pam_umask is available) will > re-enable debian's user private group setup to work correctly. > > There is a > patch to https://bugs.launchpad.net/ubuntu/+source/pam/+bug/253096 that > adds comments and calls "pam_umask usergroups" > from /etc/pam.d/common-session{,-noninteractive} > http://launchpadlibrarian.net/42107572/pam_umask-for-common-sessions.patch > > > But it might be preferable to patch pam_umask to read the > USERGROUPS_ENAB option from /etc/login.defs. > So that pam_umasks "usergroups" feature is configurable more straight > forward. (pam_umask already reads the UMASK value from login.defs)
Steve Langasek and I just discussed that, and agreed that this makes sense; but we should document the explicit "usergroups" option as deprecated, and use the USERGROUPS_ENAB option as the definitive place to enable/disable this. From http://bugs.debian.org/583971 for the login.defs counterpart: > login.defs should contain UMASK 022 while pam_umask conditionally > relaxes it to 002 for private usergroups. (Like it used to > be before PAM was introduced, without pam_umask support at that > time.) An alternative would be to comment out the UMASK setting by default, and only then have pam_umask default to an implicit "022, with USERGROUPS_ENAB relaxing to 002". As soon as login.defs, /etc/default/login, or any of the other places that pam_umask looks for (GECOS, etc.) would define an umask setting, it would use that, and only that. The advantage is that this behaves more predictably (if I configure an umask, I get it), but it comes at the expense of not making UPG magically work if you set UMASK=077 (which is also a common default). For now I'm leaning towards the original proposal here, which also seems to be consistent with the pre-PAM age. I'll work on a patch for this and send it here. Thanks, Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
signature.asc
Description: Digital signature
