Debian Bug report logs - #583958
enable pam_umask usergroups by default

version graph

Package: libpam-modules; Maintainer for libpam-modules is Steve Langasek <vorlon@debian.org>; Source for libpam-modules is src:pam.

Reported by: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>

Date: Mon, 31 May 2010 21:03:12 UTC

Severity: normal

Tags: patch, upstream

Merged with 646692

Found in version pam/1.1.3-4

Blocking fix for 583971: login.defs: UMASK 022 (and have pam_umask relax it to 002 for private usergroups)

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#583958; Package libpam-modules. (Mon, 31 May 2010 21:03:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
New Bug report received and forwarded. Copy sent to Steve Langasek <vorlon@debian.org>. (Mon, 31 May 2010 21:03:15 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>
To: submit@bugs.debian.org
Subject: enable pam_umask usergroups by default
Date: Mon, 31 May 2010 22:57:31 +0200
Package: libpam-modules

(Filing this, to track the TODOs from the discussion that followed
http://lists.debian.org/debian-devel/2010/05/msg00887.html)


Enabling "pam_umask usergroups" (now that pam_umask is available) will
re-enable debian's user private group setup to work correctly.

There is a
patch to https://bugs.launchpad.net/ubuntu/+source/pam/+bug/253096 that
adds comments and calls "pam_umask usergroups"
from /etc/pam.d/common-session{,-noninteractive}
http://launchpadlibrarian.net/42107572/pam_umask-for-common-sessions.patch


But it might be preferable to patch pam_umask to read the
USERGROUPS_ENAB option from /etc/login.defs.
So that pam_umasks "usergroups" feature is configurable more straight
forward. (pam_umask already reads the UMASK value from login.defs)




Added indication that bug 583958 blocks 583967 Request was from "C. Gatzemeier" <c.gatzemeier@tu-bs.de> to control@bugs.debian.org. (Mon, 31 May 2010 21:33:10 GMT) Full text and rfc822 format available.

Added indication that bug 583958 blocks 583971 Request was from "C. Gatzemeier" <c.gatzemeier@tu-bs.de> to control@bugs.debian.org. (Mon, 31 May 2010 21:39:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#583958; Package libpam-modules. (Wed, 22 Jun 2011 06:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Wed, 22 Jun 2011 06:33:04 GMT) Full text and rfc822 format available.

Message #14 received at 583958@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>, 583958@bugs.debian.org, 583971@bugs.debian.org
Subject: Re: Bug#583958: enable pam_umask usergroups by default
Date: Wed, 22 Jun 2011 08:28:38 +0200
[Message part 1 (text/plain, inline)]
Hello all,

C. Gatzemeier [2010-05-31 22:57 +0200]:
> Enabling "pam_umask usergroups" (now that pam_umask is available) will
> re-enable debian's user private group setup to work correctly.
> 
> There is a
> patch to https://bugs.launchpad.net/ubuntu/+source/pam/+bug/253096 that
> adds comments and calls "pam_umask usergroups"
> from /etc/pam.d/common-session{,-noninteractive}
> http://launchpadlibrarian.net/42107572/pam_umask-for-common-sessions.patch
> 
> 
> But it might be preferable to patch pam_umask to read the
> USERGROUPS_ENAB option from /etc/login.defs.
> So that pam_umasks "usergroups" feature is configurable more straight
> forward. (pam_umask already reads the UMASK value from login.defs)

Steve Langasek and I just discussed that, and agreed that this makes
sense; but we should document the explicit "usergroups" option as
deprecated, and use the USERGROUPS_ENAB option as the definitive place
to enable/disable this.

From http://bugs.debian.org/583971 for the login.defs counterpart:
> login.defs should contain UMASK 022 while pam_umask conditionally
> relaxes it to 002 for private usergroups. (Like it used to
> be before PAM was introduced, without pam_umask support at that
> time.)

An alternative would be to comment out the UMASK setting by default,
and only then have pam_umask default to an implicit "022, with
USERGROUPS_ENAB relaxing to 002". As soon as login.defs,
/etc/default/login, or any of the other places that pam_umask looks
for (GECOS, etc.) would define an umask setting, it would use that,
and only that. The advantage is that this behaves more predictably (if
I configure an umask, I get it), but it comes at the expense of not
making UPG magically work if you set UMASK=077 (which is also a common
default).

For now I'm leaning towards the original proposal here, which also
seems to be consistent with the pre-PAM age.

I'll work on a patch for this and send it here.

Thanks,

Martin

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#583958; Package libpam-modules. (Wed, 22 Jun 2011 07:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. (Wed, 22 Jun 2011 07:00:03 GMT) Full text and rfc822 format available.

Message #19 received at 583958@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Martin Pitt <mpitt@debian.org>, 583958@bugs.debian.org
Cc: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>, 583971@bugs.debian.org
Subject: Re: Bug#583958: enable pam_umask usergroups by default
Date: Tue, 21 Jun 2011 23:56:15 -0700
[Message part 1 (text/plain, inline)]
On Wed, Jun 22, 2011 at 08:28:38AM +0200, Martin Pitt wrote:
> An alternative would be to comment out the UMASK setting by default,
> and only then have pam_umask default to an implicit "022, with
> USERGROUPS_ENAB relaxing to 002". As soon as login.defs,
> /etc/default/login, or any of the other places that pam_umask looks
> for (GECOS, etc.) would define an umask setting, it would use that,
> and only that. The advantage is that this behaves more predictably (if
> I configure an umask, I get it), but it comes at the expense of not
> making UPG magically work if you set UMASK=077 (which is also a common
> default).

> For now I'm leaning towards the original proposal here, which also
> seems to be consistent with the pre-PAM age.

Yep, I've just looked over the shadow code that handles USERGROUPS_ENAB; you
(and ceg) are correct that the USERGROUPS_ENAB option should twiddle the
umask rather than overriding it entirely.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#583958; Package libpam-modules. (Wed, 22 Jun 2011 08:39:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Wed, 22 Jun 2011 08:39:19 GMT) Full text and rfc822 format available.

Message #24 received at 583958@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@ubuntu.com>
To: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>, 583958@bugs.debian.org
Subject: Re: Bug#583958: enable pam_umask usergroups by default
Date: Wed, 22 Jun 2011 10:06:37 +0200
[Message part 1 (text/plain, inline)]
Hello all,

I created a branch and merge proposal [1] for this, it's working
nicely here. Thanks to pam-auth-update pam_umask also gets added on
upgrade.

I also attach the changes as a patch for offline convenience.

If you are happy with this, I can also send a patch for
http://bugs.debian.org/583971 to update the documentation comments in
login.defs, but C. Gatzemeier's proposed comment already sounds good
to me (just needs some tiny adjustments for the "usergroups" option
deprecation).

Thanks,

Martin

[1] https://code.launchpad.net/~pitti/pam/pam-umask/+merge/65451
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
[patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#583958; Package libpam-modules. (Fri, 24 Jun 2011 06:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Fri, 24 Jun 2011 06:27:03 GMT) Full text and rfc822 format available.

Message #29 received at 583958@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@ubuntu.com>
To: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>, 583958@bugs.debian.org
Subject: Re: Bug#583958: enable pam_umask usergroups by default
Date: Fri, 24 Jun 2011 08:24:40 +0200
Hello again,

my previous patch didn't update the md5sums, this one does now. It got
merged into the Ubuntu branch after review from Steve.

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)




Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#583958; Package libpam-modules. (Fri, 24 Jun 2011 08:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Fri, 24 Jun 2011 08:39:03 GMT) Full text and rfc822 format available.

Message #34 received at 583958@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@ubuntu.com>
To: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>, 583958@bugs.debian.org
Subject: Re: Bug#583958: enable pam_umask usergroups by default
Date: Fri, 24 Jun 2011 10:34:41 +0200
[Message part 1 (text/plain, inline)]
Martin Pitt [2011-06-24  8:24 +0200]:
> my previous patch didn't update the md5sums, this one does now.

Meh -- attached now, sorry.

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
[patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#583958; Package libpam-modules. (Fri, 24 Jun 2011 19:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Fri, 24 Jun 2011 19:39:03 GMT) Full text and rfc822 format available.

Message #39 received at 583958@bugs.debian.org (full text, mbox):

From: Nicolas François <nicolas.francois@centraliens.net>
To: Steve Langasek <vorlon@debian.org>, 583958@bugs.debian.org
Cc: Martin Pitt <mpitt@debian.org>, "C. Gatzemeier" <c.gatzemeier@tu-bs.de>, 583971@bugs.debian.org
Subject: Re: Bug#583958: enable pam_umask usergroups by default
Date: Fri, 24 Jun 2011 21:36:23 +0200
Hello,

On Tue, Jun 21, 2011 at 11:56:15PM -0700, Steve Langasek wrote:
> 
> Yep, I've just looked over the shadow code that handles USERGROUPS_ENAB; you
> (and ceg) are correct that the USERGROUPS_ENAB option should twiddle the
> umask rather than overriding it entirely.

On the PAM side, are you going to push this patch upstream?

(I'm wondering if the shadow change should be applied upstream or in the
Debian branch only)

Best Regards,
-- 
Nekral




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#583958; Package libpam-modules. (Sun, 26 Jun 2011 09:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. (Sun, 26 Jun 2011 09:33:03 GMT) Full text and rfc822 format available.

Message #44 received at 583958@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Nicolas François <nicolas.francois@centraliens.net>
Cc: 583958@bugs.debian.org, Martin Pitt <mpitt@debian.org>, "C. Gatzemeier" <c.gatzemeier@tu-bs.de>, 583971@bugs.debian.org
Subject: Re: Bug#583958: enable pam_umask usergroups by default
Date: Sat, 25 Jun 2011 21:07:29 -0400
[Message part 1 (text/plain, inline)]
On Fri, Jun 24, 2011 at 09:36:23PM +0200, Nicolas François wrote:
> On Tue, Jun 21, 2011 at 11:56:15PM -0700, Steve Langasek wrote:

> > Yep, I've just looked over the shadow code that handles USERGROUPS_ENAB; you
> > (and ceg) are correct that the USERGROUPS_ENAB option should twiddle the
> > umask rather than overriding it entirely.

> On the PAM side, are you going to push this patch upstream?

Yes - will push upstream prior to applying in Debian.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org
[signature.asc (application/pgp-signature, inline)]

Added tag(s) upstream. Request was from Jonathan Nieder <jrnieder@gmail.com> to control@bugs.debian.org. (Thu, 21 Jul 2011 11:29:16 GMT) Full text and rfc822 format available.

Forcibly Merged 583958 646692. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Thu, 27 Oct 2011 20:30:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#583958; Package libpam-modules. (Fri, 11 May 2012 22:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Fri, 11 May 2012 22:03:03 GMT) Full text and rfc822 format available.

Message #53 received at 583958@bugs.debian.org (full text, mbox):

From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>
To: 583971@bugs.debian.org, 583958@bugs.debian.org
Subject: login.defs: UMASK 022 / enable pam_umask usergroups
Date: Sat, 12 May 2012 00:01:04 +0200
I see you fixed things in ubuntu, what ist the status for debian?
Did your patches get to, and accepted upstream?




Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#583958; Package libpam-modules. (Thu, 18 Oct 2012 12:24:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Thu, 18 Oct 2012 12:24:06 GMT) Full text and rfc822 format available.

Message #58 received at 583958@bugs.debian.org (full text, mbox):

From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>
To: 583958@bugs.debian.org
Subject: push for wheezy
Date: Thu, 18 Oct 2012 14:21:50 +0200
Could you please push your fixes for wheezy?
This blocks 583971.



Added tag(s) patch. Request was from "C. Gatzemeier" <c.gatzemeier@tu-bs.de> to control@bugs.debian.org. (Wed, 07 Nov 2012 19:21:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#583958; Package libpam-modules. (Tue, 23 Apr 2013 08:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Tue, 23 Apr 2013 08:48:04 GMT) Full text and rfc822 format available.

Message #65 received at 583958@bugs.debian.org (full text, mbox):

From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>
To: 583958@bugs.debian.org
Subject: login.defs: UMASK 022 / enable pam_umask usergroups
Date: Tue, 23 Apr 2013 10:45:29 +0200
Tags: -upstream

Hello, please apply the patch for this blocking issue in debian.

Then reset this bug to upstream, after the patch actually is in debian
and has been submitted for inclusion upstream.




Removed tag(s) upstream. Request was from "C. Gatzemeier" <c.gatzemeier@tu-bs.de> to control@bugs.debian.org. (Tue, 23 Apr 2013 09:15:07 GMT) Full text and rfc822 format available.

Added tag(s) upstream. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Tue, 23 Apr 2013 14:21:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#583958; Package libpam-modules. (Fri, 03 May 2013 15:00:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Fri, 03 May 2013 15:00:09 GMT) Full text and rfc822 format available.

Message #74 received at 583958@bugs.debian.org (full text, mbox):

From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>
To: 583958@bugs.debian.org
Subject: current status
Date: Fri, 3 May 2013 16:48:07 +0200
Hello,

I could not find the patch for this in the upstream bugtracker.
https://fedorahosted.org/linux-pam/query

Vorlon, you readded the upstream tag, I may be misundestanding
this, could you please clarify what you mean with the upstream status,
and why the debdiff patch is not being applied in debian?



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#583958; Package libpam-modules. (Fri, 03 May 2013 15:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. (Fri, 03 May 2013 15:21:04 GMT) Full text and rfc822 format available.

Message #79 received at 583958@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>, 583958@bugs.debian.org
Subject: Re: Bug#583958: current status
Date: Fri, 3 May 2013 08:16:27 -0700
[Message part 1 (text/plain, inline)]
On Fri, May 03, 2013 at 04:48:07PM +0200, C. Gatzemeier wrote:
> I could not find the patch for this in the upstream bugtracker.
> https://fedorahosted.org/linux-pam/query

> Vorlon, you readded the upstream tag, I may be misundestanding
> this, could you please clarify what you mean with the upstream status,

"upstream" means the bug is an upstream bug.  Which is correct.

> and why the debdiff patch is not being applied in debian?

For the stated reason that I do not intend to apply this to the Debian
package before it's been upstreamed.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Steve Langasek <vorlon@debian.org>:
Bug#583958; Package libpam-modules. (Fri, 03 May 2013 16:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <vorlon@debian.org>. (Fri, 03 May 2013 16:51:04 GMT) Full text and rfc822 format available.

Message #84 received at 583958@bugs.debian.org (full text, mbox):

From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>
To: Steve Langasek <vorlon@debian.org>
Cc: 583958@bugs.debian.org
Subject: Re: Bug#583958: current status
Date: Fri, 3 May 2013 18:39:26 +0200
Thanks for responding that quickly.

Am Fri, 3 May 2013 08:16:27 -0700
schrieb Steve Langasek <vorlon@debian.org>:

> "upstream" means the bug is an upstream bug.  Which is correct.

> > and why the debdiff patch is not being applied in debian?
> 
> For the stated reason that I do not intend to apply this to the Debian
> package before it's been upstreamed.

That statement has also been made some years before, yes.

Unfortunately, these do not seem to give much humanity, or a reason
for the decision against applying the patch in debian as well in the
meantime. (To follow the debian-devel discussion, unblock other bugs,
and close the gap to ubuntu.)


Also, could you please state clearly wether you actually
forwarded the patch to upstream, and what its meaninfull upstream
status is. (To let us know that it has been properliy reported
upstream and is being dealt with, and not just used as a kind of
not-our-business tag.)






Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 20:33:02 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.