Debian Bug report logs - #583971
login.defs: UMASK 022 (and have pam_umask relax it to 002 for private usergroups)

version graph

Package: login; Maintainer for login is Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>; Source for login is src:shadow.

Reported by: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>

Date: Mon, 31 May 2010 21:30:01 UTC

Severity: normal

Tags: patch, pending

Merged with 581413

Found in version shadow/1:4.1.4.2-1

Fix blocked by 583958: enable pam_umask usergroups by default

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#583971; Package login. (Mon, 31 May 2010 21:30:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
New Bug report received and forwarded. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Mon, 31 May 2010 21:30:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>
To: submit@bugs.debian.org
Subject: login.defs: UMASK 022 (and have pam_umask relax it to 002 for private usergroups)
Date: Mon, 31 May 2010 23:27:51 +0200
Package: login

(Filing this, to track the TODOs from the discussion that followed
http://lists.debian.org/debian-devel/2010/05/msg00887.html)


login.defs should contain UMASK 022 while pam_umask conditionally
relaxes it to 002 for private usergroups. (Like it used to
be before PAM was introduced, without pam_umask support at that
time.)

A UPG usage text: https://wiki.ubuntu.com/MultiUserManagement

Here is a draft for the login.defs comments:

--8<----- cut here ----------
#
# Login configuration initializations:
#
# ERASECHAR Terminal ERASE character ('\010' = backspace).
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
# UMASK Default "umask" value.
#
# The ERASECHAR and KILLCHAR are used only on System V machines.
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
ERASECHAR 0177
KILLCHAR 025
#
# On PAM-enabled systems the UMASK setting in this file is used as a
# global default by pam_umask. (See man pam_umask for global and per
# user overrides.) Setting the umask in any shell rc files
# (i.e. /etc/profile and others) instead of with pam_umask is
# depreciated because they don't catch all classes of user entry
# to the system.
#
# On non-PAM (login) systems setting the umask in shell rc files, in
# addition to the UMASK setting here, can catch some more classes of
# user entries to system. (Logins through su, cron, ssh etc.)
# At the same time, using shell rc files to set umask won't catch cases
# which use non-shell executables in place of a login shell,
# like /usr/sbin/pppd for the "ppp" user and alike.
#
# UMASK 022 is the default value in Debian,
# 027 or even 077 could be considered better for privacy, if
# user private groups (UPGs) have been disabled (see /etc/adduser.conf
# and option USERGROUPS_ENAB below), the home directories have all been
# created with restriced permissions (adduser.conf) and the users in the
# system are not to trust each other to read each other's files
# they created in accessible directories.
# There is no One True Answer here: Each sysadmin must make up his/her
# mind.
#
# Note that with login's USERGROUPS_ENAB feature, or
# with the "usergroups" feature of pam_umask (debian default),
# if a user has been created with a user private group (UPG) that user's
# group permission umask value is adjusted to match the user permission
# value (i.e. 022->002). This enables flawless collaboration for UPG
# users in group directories, without risking a too permissive system
# wide default.
UMASK 022

--8<---------------






Added blocking bug(s) of 583971: 583958 Request was from "C. Gatzemeier" <c.gatzemeier@tu-bs.de> to control@bugs.debian.org. (Mon, 31 May 2010 21:39:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#583971; Package login. (Wed, 22 Jun 2011 06:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Wed, 22 Jun 2011 06:33:06 GMT) Full text and rfc822 format available.

Message #12 received at 583971@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>, 583958@bugs.debian.org, 583971@bugs.debian.org
Subject: Re: Bug#583958: enable pam_umask usergroups by default
Date: Wed, 22 Jun 2011 08:28:38 +0200
[Message part 1 (text/plain, inline)]
Hello all,

C. Gatzemeier [2010-05-31 22:57 +0200]:
> Enabling "pam_umask usergroups" (now that pam_umask is available) will
> re-enable debian's user private group setup to work correctly.
> 
> There is a
> patch to https://bugs.launchpad.net/ubuntu/+source/pam/+bug/253096 that
> adds comments and calls "pam_umask usergroups"
> from /etc/pam.d/common-session{,-noninteractive}
> http://launchpadlibrarian.net/42107572/pam_umask-for-common-sessions.patch
> 
> 
> But it might be preferable to patch pam_umask to read the
> USERGROUPS_ENAB option from /etc/login.defs.
> So that pam_umasks "usergroups" feature is configurable more straight
> forward. (pam_umask already reads the UMASK value from login.defs)

Steve Langasek and I just discussed that, and agreed that this makes
sense; but we should document the explicit "usergroups" option as
deprecated, and use the USERGROUPS_ENAB option as the definitive place
to enable/disable this.

From http://bugs.debian.org/583971 for the login.defs counterpart:
> login.defs should contain UMASK 022 while pam_umask conditionally
> relaxes it to 002 for private usergroups. (Like it used to
> be before PAM was introduced, without pam_umask support at that
> time.)

An alternative would be to comment out the UMASK setting by default,
and only then have pam_umask default to an implicit "022, with
USERGROUPS_ENAB relaxing to 002". As soon as login.defs,
/etc/default/login, or any of the other places that pam_umask looks
for (GECOS, etc.) would define an umask setting, it would use that,
and only that. The advantage is that this behaves more predictably (if
I configure an umask, I get it), but it comes at the expense of not
making UPG magically work if you set UMASK=077 (which is also a common
default).

For now I'm leaning towards the original proposal here, which also
seems to be consistent with the pre-PAM age.

I'll work on a patch for this and send it here.

Thanks,

Martin

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#583971; Package login. (Wed, 22 Jun 2011 07:00:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Wed, 22 Jun 2011 07:00:05 GMT) Full text and rfc822 format available.

Message #17 received at 583971@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Martin Pitt <mpitt@debian.org>, 583958@bugs.debian.org
Cc: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>, 583971@bugs.debian.org
Subject: Re: Bug#583958: enable pam_umask usergroups by default
Date: Tue, 21 Jun 2011 23:56:15 -0700
[Message part 1 (text/plain, inline)]
On Wed, Jun 22, 2011 at 08:28:38AM +0200, Martin Pitt wrote:
> An alternative would be to comment out the UMASK setting by default,
> and only then have pam_umask default to an implicit "022, with
> USERGROUPS_ENAB relaxing to 002". As soon as login.defs,
> /etc/default/login, or any of the other places that pam_umask looks
> for (GECOS, etc.) would define an umask setting, it would use that,
> and only that. The advantage is that this behaves more predictably (if
> I configure an umask, I get it), but it comes at the expense of not
> making UPG magically work if you set UMASK=077 (which is also a common
> default).

> For now I'm leaning towards the original proposal here, which also
> seems to be consistent with the pre-PAM age.

Yep, I've just looked over the shadow code that handles USERGROUPS_ENAB; you
(and ceg) are correct that the USERGROUPS_ENAB option should twiddle the
umask rather than overriding it entirely.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#583971; Package login. (Fri, 24 Jun 2011 09:15:15 GMT) Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Fri, 24 Jun 2011 09:15:17 GMT) Full text and rfc822 format available.

Message #22 received at 583971@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@ubuntu.com>
To: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>, 583971@bugs.debian.org
Subject: Re: Bug#583971: login.defs: UMASK 022 (and have pam_umask relax it to 002 for private usergroups)
Date: Fri, 24 Jun 2011 11:12:49 +0200
[Message part 1 (text/plain, inline)]
Hello all,

I attach the patch which I uploaded to Ubuntu now. It updates the
UMASK and USERGROUPS_ENAB documentation according to the changes
proposed to bug 583958.

Thanks,

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
[patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#583971; Package login. (Fri, 24 Jun 2011 19:39:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Fri, 24 Jun 2011 19:39:05 GMT) Full text and rfc822 format available.

Message #27 received at 583971@bugs.debian.org (full text, mbox):

From: Nicolas François <nicolas.francois@centraliens.net>
To: Steve Langasek <vorlon@debian.org>, 583958@bugs.debian.org
Cc: Martin Pitt <mpitt@debian.org>, "C. Gatzemeier" <c.gatzemeier@tu-bs.de>, 583971@bugs.debian.org
Subject: Re: Bug#583958: enable pam_umask usergroups by default
Date: Fri, 24 Jun 2011 21:36:23 +0200
Hello,

On Tue, Jun 21, 2011 at 11:56:15PM -0700, Steve Langasek wrote:
> 
> Yep, I've just looked over the shadow code that handles USERGROUPS_ENAB; you
> (and ceg) are correct that the USERGROUPS_ENAB option should twiddle the
> umask rather than overriding it entirely.

On the PAM side, are you going to push this patch upstream?

(I'm wondering if the shadow change should be applied upstream or in the
Debian branch only)

Best Regards,
-- 
Nekral




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#583971; Package login. (Fri, 24 Jun 2011 19:39:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nicolas François <nicolas.francois@centraliens.net>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Fri, 24 Jun 2011 19:39:07 GMT) Full text and rfc822 format available.

Message #32 received at 583971@bugs.debian.org (full text, mbox):

From: Nicolas François <nicolas.francois@centraliens.net>
To: 583971@bugs.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#583971: login.defs: UMASK 022 (and have pam_umask relax it to 002 for private usergroups)
Date: Fri, 24 Jun 2011 21:37:22 +0200
Reminder to myself

The logind.defs manpage should be updated too.

-- 
Nekral




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#583971; Package login. (Sun, 26 Jun 2011 09:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Sun, 26 Jun 2011 09:33:06 GMT) Full text and rfc822 format available.

Message #37 received at 583971@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Nicolas François <nicolas.francois@centraliens.net>
Cc: 583958@bugs.debian.org, Martin Pitt <mpitt@debian.org>, "C. Gatzemeier" <c.gatzemeier@tu-bs.de>, 583971@bugs.debian.org
Subject: Re: Bug#583958: enable pam_umask usergroups by default
Date: Sat, 25 Jun 2011 21:07:29 -0400
[Message part 1 (text/plain, inline)]
On Fri, Jun 24, 2011 at 09:36:23PM +0200, Nicolas François wrote:
> On Tue, Jun 21, 2011 at 11:56:15PM -0700, Steve Langasek wrote:

> > Yep, I've just looked over the shadow code that handles USERGROUPS_ENAB; you
> > (and ceg) are correct that the USERGROUPS_ENAB option should twiddle the
> > umask rather than overriding it entirely.

> On the PAM side, are you going to push this patch upstream?

Yes - will push upstream prior to applying in Debian.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org
[signature.asc (application/pgp-signature, inline)]

Forcibly Merged 581413 583971. Request was from Jonathan Nieder <jrnieder@gmail.com> to control@bugs.debian.org. (Thu, 21 Jul 2011 11:29:15 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#583971; Package login. (Fri, 11 May 2012 22:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>. (Fri, 11 May 2012 22:03:04 GMT) Full text and rfc822 format available.

Message #44 received at 583971@bugs.debian.org (full text, mbox):

From: "C. Gatzemeier" <c.gatzemeier@tu-bs.de>
To: 583971@bugs.debian.org, 583958@bugs.debian.org
Subject: login.defs: UMASK 022 / enable pam_umask usergroups
Date: Sat, 12 May 2012 00:01:04 +0200
I see you fixed things in ubuntu, what ist the status for debian?
Did your patches get to, and accepted upstream?




Added tag(s) patch. Request was from "C. Gatzemeier" <c.gatzemeier@tu-bs.de> to control@bugs.debian.org. (Wed, 07 Nov 2012 19:21:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>:
Bug#583971; Package login. (Wed, 26 Feb 2014 16:45:05 GMT) Full text and rfc822 format available.

Message #49 received at 583971@bugs.debian.org (full text, mbox):

From: pkg-shadow-devel@lists.alioth.debian.org
To: 583971@bugs.debian.org, 583971-submitter@bugs.debian.org
Subject: Pending fixes for bugs in the shadow package
Date: Wed, 26 Feb 2014 16:42:55 +0000
tag 583971 + pending
thanks

Some bugs in the shadow package are closed in revision
7573a1f68487de0ae60c06922da4c37c8e5604cf in branch 'master' by Micah
Anderson

The full diff can be seen at
http://anonscm.debian.org/gitweb/?p=pkg-fonts/shadow.git;a=commitdiff;h=7573a1f

Commit message:

    Update documentation of UMASK: Explain that USERGROUPS_ENAB will modify this default for UPGs. (Closes: #583971)




Added tag(s) pending. Request was from pkg-shadow-devel@lists.alioth.debian.org to control@bugs.debian.org. (Wed, 26 Feb 2014 16:45:27 GMT) Full text and rfc822 format available.

Message sent on to "C. Gatzemeier" <c.gatzemeier@tu-bs.de>:
Bug#583971. (Wed, 26 Feb 2014 16:45:32 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 07:39:52 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.