[Pkg-shadow-devel] Bug#583971: Bug#583958: enable pam_umask usergroups by default

Martin Pitt mpitt at debian.org
Wed Jun 22 06:28:38 UTC 2011

Hello all,

C. Gatzemeier [2010-05-31 22:57 +0200]:
> Enabling "pam_umask usergroups" (now that pam_umask is available) will
> re-enable debian's user private group setup to work correctly.
> There is a
> patch to https://bugs.launchpad.net/ubuntu/+source/pam/+bug/253096 that
> adds comments and calls "pam_umask usergroups"
> from /etc/pam.d/common-session{,-noninteractive}
> http://launchpadlibrarian.net/42107572/pam_umask-for-common-sessions.patch
> But it might be preferable to patch pam_umask to read the
> USERGROUPS_ENAB option from /etc/login.defs.
> So that pam_umasks "usergroups" feature is configurable more straight
> forward. (pam_umask already reads the UMASK value from login.defs)

Steve Langasek and I just discussed that, and agreed that this makes
sense; but we should document the explicit "usergroups" option as
deprecated, and use the USERGROUPS_ENAB option as the definitive place
to enable/disable this.

From http://bugs.debian.org/583971 for the login.defs counterpart:
> login.defs should contain UMASK 022 while pam_umask conditionally
> relaxes it to 002 for private usergroups. (Like it used to
> be before PAM was introduced, without pam_umask support at that
> time.)

An alternative would be to comment out the UMASK setting by default,
and only then have pam_umask default to an implicit "022, with
USERGROUPS_ENAB relaxing to 002". As soon as login.defs,
/etc/default/login, or any of the other places that pam_umask looks
for (GECOS, etc.) would define an umask setting, it would use that,
and only that. The advantage is that this behaves more predictably (if
I configure an umask, I get it), but it comes at the expense of not
making UPG magically work if you set UMASK=077 (which is also a common

For now I'm leaning towards the original proposal here, which also
seems to be consistent with the pre-PAM age.

I'll work on a patch for this and send it here.



Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20110622/2649bcef/attachment.pgp>

More information about the Pkg-shadow-devel mailing list