Control: block -1 by 583958 Hello Petter Reinholdtsen,
Thanks for your input on this. On Mon, Aug 13, 2018 at 07:57:06PM +0200, Petter Reinholdtsen wrote: [...] > optional pam_umask.so umask=002 > > Perhaps the default setup should have a similar line? I see from the > pam_umask manual page a new 'usergroups' option is now available. [...] I got inspired and looked around and found these interesting things related to pam_umask and usergroups: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/253096 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583958 Apparently ubuntu patches things in pam to basically use "pam_umask.so usergroups" except they deprecate usergroups in favour of reading the pre-pam (src:shadow only?) USERGROUPS_ENAB option in /etc/login.defs (which ships as set to yes). The Ubuntu bits has ofcourse also never made it into Debian. (Please note, I've only looked quickly but it seems like USERGROUPS_ENAB option is only used by useradd/userdel and not any other tool like su or login implementations in src:shadow. Given we tend to use adduser rather than the lower level useradd/userdel tools in debian, I'm not sure how relevant it is at all to mix up pam_umask usergroups with USERGROUPS_ENAB.) Given a decade has passed without this being handled in Debian (despite our PAM usage for as long) and we're now moving away from src:shadow implementations, I don't think it makes sense to patch things to read USERGROUPS_ENAB option which isn't supported anywhere in eg. util-linux implementations which also reads /etc/login.defs. I'd suggest we instead deprecate the USERGROUPS_ENAB option in /etc/login.defs. JFTR, If common-session gets this setting then su would also given it includes common-session. Setting the pam bug as a blocker for now, but likely this bug report should just be reassigned, (force)merged and set as affects util-linux, et.al. Question remains though how we get some movement on the pam side, should we just NMU it? Do most people agree we should just use 'usergroups' rather than go the ubuntu way of USERGROUPS_ENAB setting? Regards, Andreas Henriksson
