Your message dated Wed, 23 Apr 2014 17:00:09 +0000
with message-id <[email protected]>
and subject line Bug#583971: fixed in shadow 1:4.2-1
has caused the Debian Bug report #583971,
regarding The default umask in Debian should be changed to '0002' to be fully
compliant with user private groups
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
583971: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583971
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: login
Version: 1:4.1.4.2-1
First, a discussion about this bug on the debian-devel mailing list [1].
This affects unstable, testing and stable.
To summarize: Debian uses user private groups (UPG) by default. This
places each user on the system in their own default, private group, that
no one else is, or should be, a member of. However, the default umask
value for Debian is '0022'.
The old umask value comes from historical UNIX, where every user on the
system was placed in a "users" group. Thus, the write bit needed to be
removed from the group, to keep others from modifying personal files.
The discussion on the mailing list seems to be largely in favor of
making the change. Some favorable points brought up were:
* umask '0002' is default on most UNIX systems that use UPG
* Group collaboration means setting the SGID bit on directories, for the
appropriate group to be set on new files/dirs, but the write bit is
always missing in the group mode. Setting the default umask to '0002'
would fix this.
* According to [2], setting the umask to '0002' is recommended.
* Previous discussion here [3] and here [4].
* UPG without umask '0002' is pointless. We might as well be using the
'users' group.
* Our default setup of UPG with 'umask 0022' doesn't make sense. It's broken
Those who seemed to not favor the change (correct me if I'm wrong),
brought up the following points:
* FACLs can fix any filesystem permission problem. For group
collaboration, FACLs should be, and usually are, used.
* 'umask 0002' and 'umask 0022' is not secure enough. The default umask
should be '0077' instead, increasing security of the system.
* PAM should be configured to make these changes rather than changing
the umask value.
For points of comparison, the following UNIX-like operating systems
implement UPG and 'umask 0002':
* Red Hat Enterprise Linux [5]
* Fedora
* CentOS
* Oracle Enterprise Linux
The following systems still use the older historical "users" group with
'umask 0022':
* openSUSE
* SUSE Enterprise Desktop
* SUSE Enterprise Server
* Slackware
* HP-UX
* Solaris
The following systems use UPG with 'umask 0022':
* FreeBSD
* OpenBSD
* NetBSD
* Ubuntu
* Arch
Other implementations:
* Mac OS X (places the user in the 'staff' group, and the root user in
the 'admin' group. default umask is 0022)
* Open Solaris (places the user in the 'staff' group, and the root user
in the 'root' group. default umask is 0022)
[1] http://lists.debian.org/debian-devel/2010/05/msg00252.html
[2] http://preview.tinyurl.com/3anklq9
[3] http://lists.debian.org/debian-user/1994/03/msg00105.html
[4] http://lists.debian.org/debian-user/1994/03/threads.html
[5] http://preview.tinyurl.com/2dambk2
Additional references:
* http://preview.tinyurl.com/3xzs2fe
* http://preview.tinyurl.com/55amty
--
. O . O . O . . O O . . . O .
. . O . O O O . O . O O . . O
O O O . O . . O O O O . O O O
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: shadow
Source-Version: 1:4.2-1
We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Perrier <[email protected]> (supplier of updated shadow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 22 Apr 2014 09:01:42 +0200
Source: shadow
Binary: passwd login uidmap
Architecture: source i386
Version: 1:4.2-1
Distribution: experimental
Urgency: low
Maintainer: Shadow package maintainers
<[email protected]>
Changed-By: Christian Perrier <[email protected]>
Description:
login - system login tools
passwd - change and administer password and group data
uidmap - programs to help use subuids
Closes: 583971 670132 675824 677275 677441 677812 679152 685415 688252 688260
691459 705301 713979 718356 720004 739981 744877
Changes:
shadow (1:4.2-1) experimental; urgency=low
.
[ Nicolas FRANCOIS (Nekral) ]
* New upstream release. Fixes:
- Invalid free() in su fixed by using strdup(). Thanks to Serge
Hallyn for the patch. Closes: #691459
- Kill the child process group, rather than just the
immediate child; this is needed now that su no
longer starts a controlling terminal when not running an
interactive shell. Thanks to Colin Watson for the patch.
Closes: #713979
- German manpages translation update. Closes: #679152
- Improve login.defs (typographic errors and better format).
Closes: #685415
- Russian translation update. Closes: #718356
- Do not assume random() is limited by RAND_MAX. Closes: #677275
- Support C libraries with unknown fields in struct passwd.
Closes: #675824
- su: child cleanup is performed before terminating PAM sessions. This
avoids anoying "...terminated" messages when PAM module send signal to
su during session close. Closes: #670132
- vipw/vigr is checking arguments provided after options. Closes: #677812
- Updated Japanese translation. Closes: #720004
- vipw: Fix error reporting when editor fails. Closes: #688260
* Moved to git: replace Vcs-Git in place of Vcs-Svn and adapt
Vcs-Browser.
* Add pam_loginuid to login PAM settings. Closes: #677441
* passwd.install: add new subuid.5 and subgid.5 manpages
* debian/rules, debian/control, debian/uidmap.install: create new uidmap
package containing the new setuid-root binaries newuidmap and newgidmap
Set uidmap as priority optional.
* debian/login.su.pam: Enable pam_limits by default. Closes: #705301
* debian/rules: Set default editor to sensible-editor for vipw.
Closes: #688252
.
[ Micah Anderson ]
* added debian/patches/userns to enable use of subuids, plus some bugfix
patches on top of them, patches from Eric Biederman, pulled from
Ubuntu. Closes: #739981
* Allow LXC devices (lxc/console, lxc/tty[1234]) in securetty.linux
* Update documentation of UMASK: Explain that USERGROUPS_ENAB will modify
this default for UPGs. (Closes: #583971)
* login.postinst: install a default /etc/subuid and /etc/subgid
* fix installation of setuid/setgid/newuidmap/newgid/map man pages
.
[ Laurent Bigonville ]
* Switch to dpkg-source 3.0 (quilt) format
* Add build-dependency against bison
* Call dh-autoreconf since we need to regenerate all the autofoo files
.
[ Philippe Grégoire ]
* Fix 1000_configure_userns to avoid dropping a needed #endif
Closes: #744877
.
[ Christian Perrier ]
* Bump Standards to 3.9.5 (checked)
* Use 'set -e' in postinst scripts and not in thei shebang line
* Explicitly point to GPL-2 document in debian/copyright
Checksums-Sha1:
7a953806327d77d1d28afb499638b28a87f7e2b0 2280 shadow_4.2-1.dsc
77feddc823a42623462d3c3a9a49f2f6cf213ca9 1088696 shadow_4.2.orig.tar.xz
e06d4161e168239a3892fcd0678ff318d1959f01 89984 shadow_4.2-1.debian.tar.xz
07a31e6ccbaa6b60655342d5b7d880cd6ec2030a 936356 passwd_4.2-1_i386.deb
6b6a43007c59294c10d2c93c862378cfd209db15 715258 login_4.2-1_i386.deb
7596c5534cbbf515a1e76ae9d79f0ef25b99c50a 253058 uidmap_4.2-1_i386.deb
Checksums-Sha256:
c261dd9f07facaf28aac9be7428e6261718352e1b614e009d77868d8478064a7 2280
shadow_4.2-1.dsc
c5bd72c4ecb438b99289e4630b22ea0626987a378d084910dbe59eceaa34be1d 1088696
shadow_4.2.orig.tar.xz
79334c75ab65c0213ab456676f4202ba8d501c9f5db7b6e854596ea9dd20a857 89984
shadow_4.2-1.debian.tar.xz
65922e8615fedf7fc1899ecc013c609b2617f364982874faf24d13db98d8b720 936356
passwd_4.2-1_i386.deb
fbbf62a7a782ed008a0b7db1008bea2c703e78a7f6ccb7fadea914b0b2f19e29 715258
login_4.2-1_i386.deb
c8de04906b3f69b8868b9847985b510a11b2a0dd727695f2c1d1d0081a74e173 253058
uidmap_4.2-1_i386.deb
Files:
544065f3809d01750af0508224f02d85 936356 admin required passwd_4.2-1_i386.deb
490d08a75d66fed273cc3d45dfbe09dc 715258 admin required login_4.2-1_i386.deb
e3ebdc013ae2f49974272dbc6d912e4a 253058 admin optional uidmap_4.2-1_i386.deb
1c3468e3c632e9d1a2d26d417e2c5aff 2280 admin required shadow_4.2-1.dsc
912a5957c1471acccedbc2a635e36f5e 1088696 admin required shadow_4.2.orig.tar.xz
da1fcef9574c7cf2b206439e0fbefb57 89984 admin required
shadow_4.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIVAwUBU1YYC4cvcCxNbiWoAQKhEBAAj4ivr7F76rrS55/IpcwCuuLjNBlH3UZS
j8/+PYjEpY+55+eBgWcw10EP3VGfiCNg/tAGcBCpL7WSmYHH3Bo6OxsBORlIBnR4
aadZz3r1vMsnMfRkvCIKv+samfoRRmO+URWWB02bjlHRqiqnOKfSKMe98HrjUTzX
yOjMWCXn13IzCGy2XofoixSa8zvZ6C8jkA+orY9B0aGzZ2UYqcE24smrrRG3jybL
lycF+6QLFZV1Vkqwz6SEJLAX2O1+Hnkw8ZooqTlCLFlEaGDq/R6PmNM9wML/3vY5
zxUO2Kn46t0Ei2m3Qpd75Q/lcdut/yAWPie5gHCENi/iBOHpyqkxTbWE5XEHqrLq
I/lt6k80uplwpCVeUu8Jq+Fj4rIEoLdqKWht4T0mplNNfmqNJH0bhWU10YLpcF0f
arfas6t907FLieTSN3fZYzeITc7FiZeFsK+GexxNAvdCjwncz6sewm7g2l34Oe2C
LUto4/qsy7mfsh8pWLAR0ZQA2JjYlmqVJkRVBQQ72SjuvfE1GKRWOuw8bvUgrs3g
O3mctHmIW3xu7RsnPHacusTqmLzbccObvvyaWw1qm6PV095z2YeYNHjVj1VkHE/i
s2lKgWXFCtPIOJ/YjHjd5xL5mWwvdi3YezsM9Id7TSpBRsR0PsOBishrMDgRqbB1
u9JNvlQUwNc=
=0Bgo
-----END PGP SIGNATURE-----
--- End Message ---
