I'm not a PAM expert, but can perhaps provide an interesting data point.
In Debian Edu, we provide the following /usr/share/pam-configs/edu-umask to
ensure the umask is set to 002:
Name: umask set at login (Debian Edu version)
Default: yes
Priority: 0
Session-Type: Additional
Session:
optional pam_umask.so umask=002
Perhaps the default setup should have a similar line? I see from the
pam_umask manual page a new 'usergroups' option is now available. As far as
I remember, it was not available when I created the edu-umask pam-config. It
seem to provide the setup wanted by Debian Edu, so perhaps Debian Edu should
switch to pam_umask.so usergroups? CC to the debian-edu@ list to make everyone
there aware of the option.
--
Happy hacking
Petter Reinholdtsen
