Your message dated Wed, 23 Apr 2014 17:00:09 +0000
with message-id <[email protected]>
and subject line Bug#583971: fixed in shadow 1:4.2-1
has caused the Debian Bug report #583971,
regarding login.defs: UMASK 022 (and have pam_umask relax it to 002 for private
usergroups)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
583971: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583971
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: login
(Filing this, to track the TODOs from the discussion that followed
http://lists.debian.org/debian-devel/2010/05/msg00887.html)
login.defs should contain UMASK 022 while pam_umask conditionally
relaxes it to 002 for private usergroups. (Like it used to
be before PAM was introduced, without pam_umask support at that
time.)
A UPG usage text: https://wiki.ubuntu.com/MultiUserManagement
Here is a draft for the login.defs comments:
--8<----- cut here ----------
#
# Login configuration initializations:
#
# ERASECHAR Terminal ERASE character ('\010' = backspace).
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
# UMASK Default "umask" value.
#
# The ERASECHAR and KILLCHAR are used only on System V machines.
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
ERASECHAR 0177
KILLCHAR 025
#
# On PAM-enabled systems the UMASK setting in this file is used as a
# global default by pam_umask. (See man pam_umask for global and per
# user overrides.) Setting the umask in any shell rc files
# (i.e. /etc/profile and others) instead of with pam_umask is
# depreciated because they don't catch all classes of user entry
# to the system.
#
# On non-PAM (login) systems setting the umask in shell rc files, in
# addition to the UMASK setting here, can catch some more classes of
# user entries to system. (Logins through su, cron, ssh etc.)
# At the same time, using shell rc files to set umask won't catch cases
# which use non-shell executables in place of a login shell,
# like /usr/sbin/pppd for the "ppp" user and alike.
#
# UMASK 022 is the default value in Debian,
# 027 or even 077 could be considered better for privacy, if
# user private groups (UPGs) have been disabled (see /etc/adduser.conf
# and option USERGROUPS_ENAB below), the home directories have all been
# created with restriced permissions (adduser.conf) and the users in the
# system are not to trust each other to read each other's files
# they created in accessible directories.
# There is no One True Answer here: Each sysadmin must make up his/her
# mind.
#
# Note that with login's USERGROUPS_ENAB feature, or
# with the "usergroups" feature of pam_umask (debian default),
# if a user has been created with a user private group (UPG) that user's
# group permission umask value is adjusted to match the user permission
# value (i.e. 022->002). This enables flawless collaboration for UPG
# users in group directories, without risking a too permissive system
# wide default.
UMASK 022
--8<---------------
--- End Message ---
--- Begin Message ---
Source: shadow
Source-Version: 1:4.2-1
We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Perrier <[email protected]> (supplier of updated shadow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 22 Apr 2014 09:01:42 +0200
Source: shadow
Binary: passwd login uidmap
Architecture: source i386
Version: 1:4.2-1
Distribution: experimental
Urgency: low
Maintainer: Shadow package maintainers
<[email protected]>
Changed-By: Christian Perrier <[email protected]>
Description:
login - system login tools
passwd - change and administer password and group data
uidmap - programs to help use subuids
Closes: 583971 670132 675824 677275 677441 677812 679152 685415 688252 688260
691459 705301 713979 718356 720004 739981 744877
Changes:
shadow (1:4.2-1) experimental; urgency=low
.
[ Nicolas FRANCOIS (Nekral) ]
* New upstream release. Fixes:
- Invalid free() in su fixed by using strdup(). Thanks to Serge
Hallyn for the patch. Closes: #691459
- Kill the child process group, rather than just the
immediate child; this is needed now that su no
longer starts a controlling terminal when not running an
interactive shell. Thanks to Colin Watson for the patch.
Closes: #713979
- German manpages translation update. Closes: #679152
- Improve login.defs (typographic errors and better format).
Closes: #685415
- Russian translation update. Closes: #718356
- Do not assume random() is limited by RAND_MAX. Closes: #677275
- Support C libraries with unknown fields in struct passwd.
Closes: #675824
- su: child cleanup is performed before terminating PAM sessions. This
avoids anoying "...terminated" messages when PAM module send signal to
su during session close. Closes: #670132
- vipw/vigr is checking arguments provided after options. Closes: #677812
- Updated Japanese translation. Closes: #720004
- vipw: Fix error reporting when editor fails. Closes: #688260
* Moved to git: replace Vcs-Git in place of Vcs-Svn and adapt
Vcs-Browser.
* Add pam_loginuid to login PAM settings. Closes: #677441
* passwd.install: add new subuid.5 and subgid.5 manpages
* debian/rules, debian/control, debian/uidmap.install: create new uidmap
package containing the new setuid-root binaries newuidmap and newgidmap
Set uidmap as priority optional.
* debian/login.su.pam: Enable pam_limits by default. Closes: #705301
* debian/rules: Set default editor to sensible-editor for vipw.
Closes: #688252
.
[ Micah Anderson ]
* added debian/patches/userns to enable use of subuids, plus some bugfix
patches on top of them, patches from Eric Biederman, pulled from
Ubuntu. Closes: #739981
* Allow LXC devices (lxc/console, lxc/tty[1234]) in securetty.linux
* Update documentation of UMASK: Explain that USERGROUPS_ENAB will modify
this default for UPGs. (Closes: #583971)
* login.postinst: install a default /etc/subuid and /etc/subgid
* fix installation of setuid/setgid/newuidmap/newgid/map man pages
.
[ Laurent Bigonville ]
* Switch to dpkg-source 3.0 (quilt) format
* Add build-dependency against bison
* Call dh-autoreconf since we need to regenerate all the autofoo files
.
[ Philippe Grégoire ]
* Fix 1000_configure_userns to avoid dropping a needed #endif
Closes: #744877
.
[ Christian Perrier ]
* Bump Standards to 3.9.5 (checked)
* Use 'set -e' in postinst scripts and not in thei shebang line
* Explicitly point to GPL-2 document in debian/copyright
Checksums-Sha1:
7a953806327d77d1d28afb499638b28a87f7e2b0 2280 shadow_4.2-1.dsc
77feddc823a42623462d3c3a9a49f2f6cf213ca9 1088696 shadow_4.2.orig.tar.xz
e06d4161e168239a3892fcd0678ff318d1959f01 89984 shadow_4.2-1.debian.tar.xz
07a31e6ccbaa6b60655342d5b7d880cd6ec2030a 936356 passwd_4.2-1_i386.deb
6b6a43007c59294c10d2c93c862378cfd209db15 715258 login_4.2-1_i386.deb
7596c5534cbbf515a1e76ae9d79f0ef25b99c50a 253058 uidmap_4.2-1_i386.deb
Checksums-Sha256:
c261dd9f07facaf28aac9be7428e6261718352e1b614e009d77868d8478064a7 2280
shadow_4.2-1.dsc
c5bd72c4ecb438b99289e4630b22ea0626987a378d084910dbe59eceaa34be1d 1088696
shadow_4.2.orig.tar.xz
79334c75ab65c0213ab456676f4202ba8d501c9f5db7b6e854596ea9dd20a857 89984
shadow_4.2-1.debian.tar.xz
65922e8615fedf7fc1899ecc013c609b2617f364982874faf24d13db98d8b720 936356
passwd_4.2-1_i386.deb
fbbf62a7a782ed008a0b7db1008bea2c703e78a7f6ccb7fadea914b0b2f19e29 715258
login_4.2-1_i386.deb
c8de04906b3f69b8868b9847985b510a11b2a0dd727695f2c1d1d0081a74e173 253058
uidmap_4.2-1_i386.deb
Files:
544065f3809d01750af0508224f02d85 936356 admin required passwd_4.2-1_i386.deb
490d08a75d66fed273cc3d45dfbe09dc 715258 admin required login_4.2-1_i386.deb
e3ebdc013ae2f49974272dbc6d912e4a 253058 admin optional uidmap_4.2-1_i386.deb
1c3468e3c632e9d1a2d26d417e2c5aff 2280 admin required shadow_4.2-1.dsc
912a5957c1471acccedbc2a635e36f5e 1088696 admin required shadow_4.2.orig.tar.xz
da1fcef9574c7cf2b206439e0fbefb57 89984 admin required
shadow_4.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIVAwUBU1YYC4cvcCxNbiWoAQKhEBAAj4ivr7F76rrS55/IpcwCuuLjNBlH3UZS
j8/+PYjEpY+55+eBgWcw10EP3VGfiCNg/tAGcBCpL7WSmYHH3Bo6OxsBORlIBnR4
aadZz3r1vMsnMfRkvCIKv+samfoRRmO+URWWB02bjlHRqiqnOKfSKMe98HrjUTzX
yOjMWCXn13IzCGy2XofoixSa8zvZ6C8jkA+orY9B0aGzZ2UYqcE24smrrRG3jybL
lycF+6QLFZV1Vkqwz6SEJLAX2O1+Hnkw8ZooqTlCLFlEaGDq/R6PmNM9wML/3vY5
zxUO2Kn46t0Ei2m3Qpd75Q/lcdut/yAWPie5gHCENi/iBOHpyqkxTbWE5XEHqrLq
I/lt6k80uplwpCVeUu8Jq+Fj4rIEoLdqKWht4T0mplNNfmqNJH0bhWU10YLpcF0f
arfas6t907FLieTSN3fZYzeITc7FiZeFsK+GexxNAvdCjwncz6sewm7g2l34Oe2C
LUto4/qsy7mfsh8pWLAR0ZQA2JjYlmqVJkRVBQQ72SjuvfE1GKRWOuw8bvUgrs3g
O3mctHmIW3xu7RsnPHacusTqmLzbccObvvyaWw1qm6PV095z2YeYNHjVj1VkHE/i
s2lKgWXFCtPIOJ/YjHjd5xL5mWwvdi3YezsM9Id7TSpBRsR0PsOBishrMDgRqbB1
u9JNvlQUwNc=
=0Bgo
-----END PGP SIGNATURE-----
--- End Message ---
