Subject: UMASK 002 or 022?
I'd like to know why giving the world (Other) read access is even under consideration. If user wants a file to have Other readability this should be on the user to set it, but it should not be the default. What is the justification that every user be able to read everyone else's documents? This discussion should be on whether to set a default UMASK of 077 or 027. NOTE: this discussion is moot at the present time anyway because it is impossible to set a UMASK at all on Debian Stretch. None of the usual ways work within gnome on Debian Stretch. Can anyone comment on this fact?
Subject: UMASK 002 or 022?
I'd like to know why giving the world (Other) read access is even under consideration. If user wants a file to have Other readability this should be on the user to set it, but it should not be the default. What is the justification that every user be able to read every other user's documents? This discussion should be on whether to set a default UMASK of 077 or 027. NOTE: this discussion is made all the more important currently because it seems impossible to set a UMASK at all on Debian Stretch. None of the usual ways work within gnome on Debian Stretch. Can anyone comment on this fact? How does one get gnome to respect the umask value that's set in ~/.profile? Or if not ~/.profile where does one set the default umask value for gnome?
Re: Subject: UMASK 002 or 022?
Setting umask in ~/.profile on Jessie works for me. On 2017-06-28 01:04, Arto Jantunen wrote: It doesn't work since pam_umask isn't run by default. However as far as I know this has been the case for a very long time (the oldest install I can check quickly is squeeze and it has the same issue).
Re: Subject: UMASK 002 or 022?
You didn't notice because you run umask from your shell configuration? In other words, you have a working umask in Stretch? I want a working umask in stretch. Can you tell me how to "run `umask 027` from my shell configuration"? Currently, I have not found a way to get gnome to respect umask setting in Stretch. On 2017-06-28 00:14, Paul Wise wrote: I had "UMASK 027" in /etc/login.defs and I didn't notice that this no longer works because I also run `umask 027` from my shell configuration. If you can track down why this no longer works, please file a bug about it and convince the maintainer to fix it in stretch.
Re: Subject: UMASK 002 or 022?
Paul, you seemed to indicate that you were able to set a different "user default" umask in Stretch that's respected by gnome apps like gedit? How did you do it? On 2017-06-28 09:21, Paul Wise wrote: On Wed, Jun 28, 2017 at 7:25 PM, Ian Jackson wrote: The appropriate default umask is 002 if the user's primary group is named after the user, or 022 otherwise. AFAICT, neither of these achieve what the initiator of the thread wants to achieve; no read access by other users to one's files on multi-user systems by default.
Re: Subject: UMASK 002 or 022?
My thinking in advocating for OTHER being 7 (ie, 027 or 077) was that
the incidents when someone wants OTHER to have access to their files are
fewer than when they do not want OTHER to have access. Do users
generally want OTHER to be able to read all their files? Or do they have
a particular set of files that they want OTHER to be able to
access/read? In this context it makes more sense to me to put the burden
on adjusting those specific files that the user wants OTHER to have
access to instead of having them that way by default. Having to adjust
those specific files also reinforces to the user what they are doing
(ie, they are giving the world access to those particular files).
On 2017-06-28 07:25, Ian Jackson wrote:
Paul Wise writes ("Re: Subject: UMASK 002 or 022?"):
On Wed, Jun 28, 2017 at 1:11 AM, gwmfms6 wrote:
> This discussion should be on whether to set a default UMASK of 077 or 027.
I think the appropriate default umask is 077 due to the possibility of
some sites not naming the primary group of each user after the user.
The appropriate default umask is 002 if the user's primary group is
named after the user, or 022 otherwise.
If only we had some kind of automated information processing equipment
which could collect necessary inputs and then make correct decisions.
Ian.
Re: UMASK 002 or 022?
The wider community doesn't seem that concerned with the fact that all Debian and Ubuntu users are now (with the most recent stable releases) completely unable to change their default umask (and further have a default setting that gives the world read access to all their documents). I think this needs to be viewed as a security issue. Even with the premise that the average Linux user is more computer competent than the average Windows or Mac user, I still don't think it's a fair assumption that all linux users know all about umask and permissions. Due to this, many users may unwittingly create "guest" accounts or friend accounts on their computers unknowingly giving read access to all documents they've created. This is not an uncommon practice in university contexts especially. Same goes if there's any sort of remote access going on through SSH etc. This issue strikes me as something that should be of higher concern to the community. Someone mentioned changing the permissions on one's home folder. That just adds insult to injury that by default everyone's home folder let's the world have read access along with all files being created with read access. It's poor privacy and security policy. The average computer-user assumes that other account holders can't read their "stuff" unless they do something to allow that person to read their stuff. But this is completely untrue on Debian Stretch and Ubuntu 17.04.
Re: UMASK 002 or 022?
On 2017-06-30 00:18, darkestkhan wrote: Are you saying that default permissions for home dirs in Debian is 755? It was when I installed Jessie and most recently Stretch. sc...@sl.id.au wrote: Can you point to a real, specific security problem that this has caused? I already did, in my email. Maybe not a "security problem" that is going to get a CVE, but I don't think people realize users of other accounts can read their files. I doubt this is understood when a separate account is created. If windows is different, it looks to be the outlier because macOS behaves the same way as Debian[0]: I was only referencing Windows and Mac in case their was an assumption that Linux users are knowledgeable enough to change umask/permissions (and to even know about them). I was not (and do not know) what Windows and/or Mac umask/permissions are (or if they have them at all).
Re: UMASK 002 or 022?
On 2017-06-30 09:17, Russell Stuart wrote: gwmf...@openmailbox.orgĀ is right in saying today's computer users don't have the "sharing is what makes us bigger than the sum of the parts" philosophy. Where he goes wrong is in assuming they share their computers. While there was a time many people shared a single CPU, today many CPU's share a person. Or less obliquely, everyone has their own phone / tablet / laptop, which they don't share with anyone except US border agents. In this environment umask is a quaint hallmark of a bygone time. Very often I see families sharing a computer in my neighborhood. They each have an account on the computer in the living room (for example). The parents set it up. And I doubt the parent knows that the kids can read everything they have in their account. (i.e., the kids are more computer savvy). I can see that there is resistance to changing this policy despite the fact that no one has told me a convincing reason for keeping it. Ultimately, it wouldn't be as big a deal if it was possible to change the default umask for the gnome-session in Debian Stretch.
Re: UMASK 002 or 022?
On 2017-06-30 12:05, Holger Levsen wrote: On Fri, Jun 30, 2017 at 11:56:37AM -0400, gwmf...@openmailbox.org wrote: Ultimately, it wouldn't be as big a deal if it was possible to change the default umask for the gnome-session in Debian Stretch. the fact that it's impossible for you, doesnt mean it's impossible for everyone. sorry, but this had to be said, you are repeating this nonsense. if you need help changing this, try debian-u...@lists.debian.org or get paid support. this list is for the development of debian, thanks. When the average user cannot change the umask, it becomes a higher priority that the default umask reflect everyday usage (which is what this thread is about--the development of debian and discussing why debian still uses a default whose rationale has arguably long past). The statement you disparage has bearing on the discussion of the default as the discussion is now of more concern considering things like this crop up. Since you brought the issue up: other debian lists provided no help in finding a workaround. I don't see you volunteering any info on how to workaround the problem. So how do I know it's not impossible? I've spoken with another developer elsewhere and he didn't know a fix. But the statement you disparage was not asking for a workaround but was a comment on the larger user base not having a mechanism for effecting this change. I don't feel your comments were warranted or helpful. The statement you disparage is not "nonsense" for the average debian user. I imagine you are much more skilled with computers than the average user. I don't want my statements to upset or misrepresent and did not intend this. But having input from someone who is not a developer per se can be helpful and informative to discussions like this. It strikes me that the community does not care about this issue, that the "old" way of doing it is the preferred way even though its original rationale has long since passed and is no longer relevant. And apparently at least some view me as not knowledgeable enough to be discussing this topic with you in this forum considering I do not know how to work around the problem myself (but even if I did that would still not address the larger subject of this thread). So signing off. I'll leave my previous emails for the record in the hope that they are given consideration by the community. I do appreciate having the opportunity to be heard and the feedback received.
