[Pkg-shadow-devel] Bug#583971: Bug#583958: enable pam_umask usergroups by default

Steve Langasek vorlon at debian.org
Wed Jun 22 06:56:15 UTC 2011

On Wed, Jun 22, 2011 at 08:28:38AM +0200, Martin Pitt wrote:
> An alternative would be to comment out the UMASK setting by default,
> and only then have pam_umask default to an implicit "022, with
> USERGROUPS_ENAB relaxing to 002". As soon as login.defs,
> /etc/default/login, or any of the other places that pam_umask looks
> for (GECOS, etc.) would define an umask setting, it would use that,
> and only that. The advantage is that this behaves more predictably (if
> I configure an umask, I get it), but it comes at the expense of not
> making UPG magically work if you set UMASK=077 (which is also a common
> default).

> For now I'm leaning towards the original proposal here, which also
> seems to be consistent with the pre-PAM age.

Yep, I've just looked over the shadow code that handles USERGROUPS_ENAB; you
(and ceg) are correct that the USERGROUPS_ENAB option should twiddle the
umask rather than overriding it entirely.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20110621/dc6159b2/attachment.pgp>

More information about the Pkg-shadow-devel mailing list