Debian Bug report logs - #583967
remove umask line from /etc/profile

version graph

Package: base-files; Maintainer for base-files is Santiago Vila <sanvila@debian.org>; Source for base-files is src:base-files.

Reported by: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>

Date: Mon, 31 May 2010 21:18:02 UTC

Severity: normal

Fixed in version base-files/5.7

Done: Santiago Vila <sanvila@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#583967; Package base-files. (Mon, 31 May 2010 21:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
New Bug report received and forwarded. Copy sent to Santiago Vila <sanvila@debian.org>. (Mon, 31 May 2010 21:18:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>
To: submit@bugs.debian.org
Subject: remove umask line from /etc/profile
Date: Mon, 31 May 2010 23:15:28 +0200
Package: base-files

(Filing this, to track the TODOs from the discussion that followed
http://lists.debian.org/debian-devel/2010/05/msg00887.html)

As soon as pam_umask is enabled by default and will set the umask on
all different types of logins to the system, the umask override in
/etc/profile should be removed and replaced by a comment.

# A system wide umask gets set by pam_umask now, it is usually
# configured in /etc/login.defs, see "man pam_umask".




Added blocking bug(s) of 583967: 583958 Request was from "C. Gatzemeier" <c.gatzemeier@tu-bs.de> to control@bugs.debian.org. (Mon, 31 May 2010 21:33:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#583967; Package base-files. (Tue, 01 Jun 2010 11:57:03 GMT) Full text and rfc822 format available.

Message #10 received at 583967@bugs.debian.org (full text, mbox):

From: Philipp Kern <pkern@debian.org>
To: 583967@bugs.debian.org, 583967-submitter@bugs.debian.org
Subject: #583967 RC?
Date: Tue, 1 Jun 2010 13:54:19 +0200
[Message part 1 (text/plain, inline)]
Hi,

should #583967 be RC?  If I see it correctly it will "only" affect new
installs because the /etc/profile file is not automatically updated.  But
calling this unconditionally sounds wrong:

| if [ "`id -u`" -ge 1000 ] && [ "`id -u`" -le 29999 ]; then
|   umask 002
| else
|   umask 022
| fi

(Currently in testing.)

As discussed on debian-devel we really, really want the additional sanity
checks pam_umask provides.

Kind regards,
Philipp Kern
-- 
 .''`.  Philipp Kern                        Debian Developer
: :' :  http://philkern.de                         Stable Release Manager
`. `'   xmpp:phil@0x539.de                         Wanna-Build Admin
  `-    finger pkern/key@db.debian.org
[signature.asc (application/pgp-signature, inline)]

Message sent on to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
Bug#583967. (Tue, 01 Jun 2010 11:57:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#583967; Package base-files. (Tue, 01 Jun 2010 12:15:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. (Tue, 01 Jun 2010 12:15:09 GMT) Full text and rfc822 format available.

Message #18 received at 583967@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Philipp Kern <pkern@debian.org>, 583967@bugs.debian.org
Cc: 583967-submitter@bugs.debian.org
Subject: Re: Bug#583967: #583967 RC?
Date: Tue, 1 Jun 2010 14:12:42 +0200 (CEST)
On Tue, 1 Jun 2010, Philipp Kern wrote:

> Hi,
> 
> should #583967 be RC?

No, it should not.

> If I see it correctly it will "only" affect new
> installs because the /etc/profile file is not automatically updated.  But
> calling this unconditionally sounds wrong:
> 
> | if [ "`id -u`" -ge 1000 ] && [ "`id -u`" -le 29999 ]; then
> |   umask 002
> | else
> |   umask 022
> | fi
> 
> (Currently in testing.)

It may be not suitable for your current installation, but it is
suitable for a newly installed system as a *default*. As it happens
with every default, it is not required to satisfy everybody, and the
user is always free to change it.

> As discussed on debian-devel we really, really want the additional sanity
> checks pam_umask provides.

So please tell me when there is a pam thing that replaces the current
default /etc/profile and I will gladly remove the umask setting from it.




Message sent on to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
Bug#583967. (Tue, 01 Jun 2010 12:15:16 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#583967; Package base-files. (Tue, 01 Jun 2010 16:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Barth <aba@not.so.argh.org>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. (Tue, 01 Jun 2010 16:54:04 GMT) Full text and rfc822 format available.

Message #26 received at 583967@bugs.debian.org (full text, mbox):

From: Andreas Barth <aba@not.so.argh.org>
To: Philipp Kern <pkern@debian.org>
Cc: 583967@bugs.debian.org, 583967-submitter@bugs.debian.org
Subject: Re: #583967 RC?
Date: Tue, 1 Jun 2010 18:50:30 +0200
* Philipp Kern (pkern@debian.org) [100601 13:55]:
> Hi,
> 
> should #583967 be RC?  If I see it correctly it will "only" affect new
> installs because the /etc/profile file is not automatically updated.  But
> calling this unconditionally sounds wrong:
> 
> | if [ "`id -u`" -ge 1000 ] && [ "`id -u`" -le 29999 ]; then
> |   umask 002
> | else
> |   umask 022
> | fi
> 
> (Currently in testing.)
> 
> As discussed on debian-devel we really, really want the additional sanity
> checks pam_umask provides.

Though I believe usergroups are a great idea (and it's time to
switch), putting this in /etc/profile doesn't sound right to me.



Andi




Message sent on to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
Bug#583967. (Tue, 01 Jun 2010 16:54:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#583967; Package base-files. (Tue, 01 Jun 2010 17:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Barth <aba@not.so.argh.org>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. (Tue, 01 Jun 2010 17:48:03 GMT) Full text and rfc822 format available.

Message #34 received at 583967@bugs.debian.org (full text, mbox):

From: Andreas Barth <aba@not.so.argh.org>
To: Philipp Kern <pkern@debian.org>
Cc: 583967@bugs.debian.org, 583967-submitter@bugs.debian.org
Subject: Re: #583967 RC?
Date: Tue, 1 Jun 2010 19:45:50 +0200
severity 583967 serious
thanks

* Philipp Kern (pkern@debian.org) [100601 13:55]:
> should #583967 be RC?  If I see it correctly it will "only" affect new
> installs because the /etc/profile file is not automatically updated.  But
> calling this unconditionally sounds wrong:
> 
> | if [ "`id -u`" -ge 1000 ] && [ "`id -u`" -le 29999 ]; then
> |   umask 002
> | else
> |   umask 022
> | fi
> 
> (Currently in testing.)
> 
> As discussed on debian-devel we really, really want the additional sanity
> checks pam_umask provides.

After some more thinking, I need to say:

              We can not release with this code present.


(i.e. this bug report is RC-grade).  This will break new installs in
many environments without usergroups, like e.g. debian.org machines.


I appreciate the goal to get better support for
usergroup-environments, but doing it wrong only causes pain. The right
way seems to me to call pam_umask with the option "usergroups", which
has the following sanity checks that this code misses:

    If [...] the user ID is equal to the group ID, and the username is
    the same as primary group name,

Also, pam is the obvious place for such a thing.


Andi




Message sent on to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
Bug#583967. (Tue, 01 Jun 2010 17:48:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#583967; Package base-files. (Tue, 01 Jun 2010 22:24:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. (Tue, 01 Jun 2010 22:24:03 GMT) Full text and rfc822 format available.

Message #42 received at 583967@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Andreas Barth <aba@not.so.argh.org>, 583967@bugs.debian.org
Cc: Philipp Kern <pkern@debian.org>, 583967-submitter@bugs.debian.org
Subject: Re: Bug#583967: #583967 RC?
Date: Wed, 2 Jun 2010 00:21:15 +0200 (CEST)
On Tue, 1 Jun 2010, Andreas Barth wrote:

> (i.e. this bug report is RC-grade).  This will break new installs in
> many environments without usergroups, like e.g. debian.org machines.

Hmm, I don't understood how a default value may "break" a new install
at all, as if the system admin would be unable to change the default
value (commenting out undesired lines in this case) before putting the
system into production.

Anyway, as everybody says this should be done with PAM, it makes no
sense to discuss about bug severities here, so I've just removed the
umask setting completely.

Note for the release managers: I've uploaded base-files_5.7 with
urgency=low. As I believe you have the power to do it, feel free to
increase the urgency if you consider it necessary.

Thanks.




Message sent on to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
Bug#583967. (Tue, 01 Jun 2010 22:24:05 GMT) Full text and rfc822 format available.

Reply sent to Santiago Vila <sanvila@debian.org>:
You have taken responsibility. (Tue, 01 Jun 2010 22:36:07 GMT) Full text and rfc822 format available.

Notification sent to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
Bug acknowledged by developer. (Tue, 01 Jun 2010 22:36:08 GMT) Full text and rfc822 format available.

Message #50 received at 583967-close@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@debian.org>
To: 583967-close@bugs.debian.org
Subject: Bug#583967: fixed in base-files 5.7
Date: Tue, 01 Jun 2010 22:32:30 +0000
Source: base-files
Source-Version: 5.7

We believe that the bug you reported is fixed in the latest version of
base-files, which is due to be installed in the Debian FTP archive:

base-files_5.7.dsc
  to main/b/base-files/base-files_5.7.dsc
base-files_5.7.tar.gz
  to main/b/base-files/base-files_5.7.tar.gz
base-files_5.7_powerpc.deb
  to main/b/base-files/base-files_5.7_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 583967@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Santiago Vila <sanvila@debian.org> (supplier of updated base-files package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 01 Jun 2010 23:57:52 +0200
Source: base-files
Binary: base-files
Architecture: source powerpc
Version: 5.7
Distribution: unstable
Urgency: low
Maintainer: Santiago Vila <sanvila@debian.org>
Changed-By: Santiago Vila <sanvila@debian.org>
Description: 
 base-files - Debian base system miscellaneous files
Closes: 583967
Changes: 
 base-files (5.7) unstable; urgency=low
 .
   * Drop umask setting from /etc/profile, will be handled by pam_umask.
     Closes: #583967.
Checksums-Sha1: 
 8941c2bd58398bb0239da5e3fad6acc00d72f5b7 971 base-files_5.7.dsc
 a1a53eefb284a7d3ca30edab942c75b415f8c35d 71497 base-files_5.7.tar.gz
 fa9c337b6892ad1a05f1cb9154a0c072d12c5903 73608 base-files_5.7_powerpc.deb
Checksums-Sha256: 
 858c99c224ad3ca9bc82dd4e304a37264ea83a66a47ddb38b76228d3af520216 971 base-files_5.7.dsc
 e4c84044a034a2d0d7cd2b278b8524547b80c6515631b409bbe2d8cb61c63422 71497 base-files_5.7.tar.gz
 47853f570c36dc82a889036bc6ada313be0649fbc7c90ad28b69fd2cb617e665 73608 base-files_5.7_powerpc.deb
Files: 
 c62722dd41876ec807067c082a791e70 971 admin required base-files_5.7.dsc
 54e132c09b2229d7ec895633868e58fc 71497 admin required base-files_5.7.tar.gz
 8f736e47978662e1bdb258e27b41ef7b 73608 admin required base-files_5.7_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBCAAGBQJMBYVfAAoJEEHOfwufG4syypcH/1ycaE4yr7nBepnG4nROHUWR
pS2vpukeG8OukRd9c3GDNOn55Q92Xb4fRE73L0fh+aYKymEwDnnqc5zDejUIV8bU
hqlzJxUVc7Ob7mTmawmV1ZD86XLhOF22PUC7sCTSEVYVWop1Xx9huFo4Fs0M6Mmh
ccJZnpk91cbFQi/CMv0Rq6R77HOonwNjby2UGr7Mkn8BmmtvQz+cMDltbdzopdym
f9DhIfp90d8bL3UAc2k7VUwb8x83ZZeaxbHwjcFWbT2bhzV1ZpfCyVTbjbYFCszN
UYYMpXDBGtH8iwnkNuHTjpNx7tY5EJEElJJmZf95cJ2Q/vJXk/ue5yrDVtkAVYM=
=pFxA
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#583967; Package base-files. (Wed, 02 Jun 2010 10:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. (Wed, 02 Jun 2010 10:24:03 GMT) Full text and rfc822 format available.

Message #55 received at 583967@bugs.debian.org (full text, mbox):

From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>
To: Santiago Vila <sanvila@unex.es>
Cc: Andreas Barth <aba@not.so.argh.org>, 583967@bugs.debian.org, Philipp Kern <pkern@debian.org>, 583967-submitter@bugs.debian.org
Subject: Re: Bug#583967: #583967 RC?
Date: Wed, 2 Jun 2010 12:20:30 +0200
Hi, thanks for beeing so quick Santiago.

I guess that now makes #583958 "enable pam_umask usergroups by default"
an RC issue? Since we rely on it to set the umask.

Can someone adjust that?




Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#583967; Package base-files. (Wed, 02 Jun 2010 10:24:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. (Wed, 02 Jun 2010 10:24:05 GMT) Full text and rfc822 format available.

Message #60 received at 583967@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: <583967@bugs.debian.org>
Cc: Santiago Vila <sanvila@unex.es>
Subject: is pam_umask already used now?
Date: Wed, 02 Jun 2010 10:22:17 +0000
Hi.


Just wondered.... has pam_umask been already set up to be used (in new
installations)?

OT: And what would I have to do to set it up for old installations?
OT2: Does pam_umask take care of all this discussion which UIDs should be
subject to UPGs at all (I mean >= 1000 + <= (something that was reserved)

Cheers,
Chris.




Message sent on to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
Bug#583967. (Wed, 02 Jun 2010 10:24:12 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#583967; Package base-files. (Thu, 03 Jun 2010 09:30:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. (Thu, 03 Jun 2010 09:30:03 GMT) Full text and rfc822 format available.

Message #68 received at 583967@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Christoph Anton Mitterer <calestyo@scientia.net>
Cc: 583967@bugs.debian.org
Subject: Re: is pam_umask already used now?
Date: Thu, 3 Jun 2010 11:28:39 +0200 (CEST)
On Wed, 2 Jun 2010, Christoph Anton Mitterer wrote:

> Hi.
> 
> 
> Just wondered.... has pam_umask been already set up to be used (in new
> installations)?

No, AFAIK.

> OT: And what would I have to do to set it up for old installations?
> OT2: Does pam_umask take care of all this discussion which UIDs should be
> subject to UPGs at all (I mean >= 1000 + <= (something that was reserved)

Ask Andreas Barth.




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 10 Jul 2010 07:35:07 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 16:41:32 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.