Bug#314539: [Pkg-shadow-devel] please remove UMASK from login.defs

[Christian Perrier]

(Tollef, as libpam-umask pkg maintainer, could you look at #314539?)

Quoting Alexander Gattin (arg@online.com.ua):
> Hi!
> 
> On Sun, Jun 19, 2005 at 10:15:14AM +0200, Christian Perrier wrote:
> > > Yes, but while login.defs can't catch all entries of a
> > > user to system (like through cron/at/ssh etc.) which
> > > shellrc can catch, it _can_ still catch entries of user
> > > with a non-shell (pppd) or with a shell which don't set
> > > umask (tcsh in Debian by default, AFAIS).
> > > 
> > > Thus currently UMASK in login.defs _has_ some use.
> > > That's why I think it's not a right time yet to remove
> > > it from there.
> > At this point, guys, your discussion still leads me to the conclusion
> > that having UMASK in the *default* login.defs may induce more
> > confusion than benefits.
> 
> IMHO, it's better to target controllability than
> elimination of confusion.
> 
> The whole point of having UMASK in login.defs nowadays
> is catching the remaining entry points of user into
> system that shellrc can't catch -- i.e. the
> abovementioned logins using non-shell executables or
> shells that don't set umask in their rc scripts.
> 
> Summary: I would better wait _till_ pam_umask finds its
> way into default Debian /etc/pam.d/common-session, 
> and comment UMASK out _after that_.

Hmmm, you nearly manage to convince me. I send this to the BTS, for
the record.

Martin, please give your advice here.

Alex seems to have well proven that UMASK in login.defs is *currently*
the only way to be sure that all possible ways to login to a system
will have the right mask.

So, until pam_umask is part of the default settings on Debian systems
(which may require to request this), we probably had better to stick
with UMASK being actually set in login.defs, which an appropriate comment.

Having umask part of the default system might be the Way To
Go. Tollef, input?