[Pkg-shadow-devel] Re: summary preparation for technical comittee: setting the umask

Christian Perrier bubulle at debian.org
Fri Sep 16 04:39:18 UTC 2005 

(adding the shadow maintainers list to the CC, and therefore keeping a
whole citation, sorry fot this)

Quoting C. Gatzemeier (c.gatzemeier at tu-bs.de):
> 
> An attempt for a summary to resolve the situation follows.
> 
> Regards,
> Christian
> 
> ---
> Summary for technical comittee: setting the umask
> 
> Inconsistent umask settings; user private groups concept requires umask 002 to 
> work.
> Relates to  #248140 #248150 #314539
> 
> 
> Please successively reasign to base-files (and other packages containing umask 
> settings), login and libpam-umask packages to resolve the situation.
> 
> 
> Debian ships defaulting to put newly created users into private primary 
> groups. The so called User Private Group (UPG) concept allows easy access 
> right management for users. In sgid group-directories access rights of files 
> can be set correctly automaticly. It is proven to work fine.
> 
> Even though UPGs are the default in debian, they are not set up to work 
> properly. The umask is currently set at different places and to conflicting 
> values. The result is that the settings to 002 are in most cases not active.
> 
> 
> CURRENT SITUATION
> 
> The settings in /etc/login.defs do reflect the use of UPGs and are adjusted to 
> generate the correct umask:
> 
> # Enable setting of the umask group bits to be the same as owner bits
> # (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
> # the same as gid, and username is the same as the primary group name.
> #
> # This also enables userdel to remove user groups if no members exist.
> #
> USERGROUPS_ENAB yes
> 
> However:
> a) This login.def functionality is not active on systems with PAM (now 
> standard in debian). And the pam_umask funktionality is not part of the base 
> system.
> 
> b) The umask gets overwritten in shells that source rc files like /etc/profile 
> which ships with an umask line.
> 
> 
> SUGGESTED SOLUTION
> 
> 1) remove/comment out any umask settings in all shell configuration files 
> shiped with debian (i.e. /etc/profile) and add a comments 
> that /etc/login.defs or better pam_umask ist the right place for global umask 
> setting.
> 
> 2) In /etc/login.defs correctly move all settings that are overridden by PAM 
> below that comment (i.e. USERGROUPS_ENAB) and vice versa[1].  Set the umask 
> to 002 for the case that libpam-umask is not installed, but point the admin 
> to libpam-umask and the right file for the umask setting.
> 
> 3) Add libpam-umask to the base system. And enable the default umask of 002 as 
> described in the README.
> 
> 
> ---
> 
> The articulated reason for closing #248140 has been that if an umask of 002 
> would be active instead of the 022 this could lend to unexpected behaviour. 
> The example given was that when copying with scp to systems without UPGs 
> might unexpectedly expose files to write access.
> 
> However scp should nomaly respect the umask on the target system.
> 
> Only when explicitly using "scp -p" (preserving permissions) that might not be 
> the case. But when copying files between systems with explicity using 
> switches like these, it seems the user has to be aware of possible 
> implications and inconsistencies in user and group IDs anyway. With "scp -p" 
> as a normal user the copy might belong to the destination user and its 
> primary group, done as root numerical UIDs taken from other systems may 
> always belong to different users.
> 
> The possibly of users (accidentially) having scp aliased to "scp -p" may seem 
> a little far fetched to warrant shiping debian with a non-working user 
> private group setup by default.
> 

All this seems to be a good summary of things we actually talked
about, Tollef, Nicolas François and I at Debconf.

The shadow team is still focused on the transition to upstream
versions, so that subject didn't move a lot since then, but we're
probably ready to have it advance. Thanks again for taking care of it.

> 
> [1]
> From #248150
> login.defs(5) wrongly says that login(1) no
> longer uses login.defs.  TTY mode setting is still controlled by login.defs,
> for one thing.
> 
> 

These will probably be dealt with after we sync with shadow 4.0.13
(due very soon).




--

More information about the Pkg-shadow-devel mailing list