[Andreas Henriksson] > (Please note, I've only looked quickly but it seems like > USERGROUPS_ENAB option is only used by useradd/userdel and not any > other tool like su or login implementations in src:shadow. Given we > tend to use adduser rather than the lower level useradd/userdel tools > in debian, I'm not sure how relevant it is at all to mix up pam_umask > usergroups with USERGROUPS_ENAB.)
I do not understand how USERGROUPS_ENAB would be relevant for su or login. Care to explain? The way I understand it, it would only be relevant for the mechanism creating home directories and users, and the mechanism setting umask during login (aka PAM). > Given a decade has passed without this being handled in Debian > (despite our PAM usage for as long) and we're now moving away from > src:shadow implementations, I don't think it makes sense to patch > things to read USERGROUPS_ENAB option which isn't supported anywhere > in eg. util-linux implementations which also reads > /etc/login.defs. I'd suggest we instead deprecate the USERGROUPS_ENAB > option in /etc/login.defs. I did not quite understand this rationale. The fact that the default Debian setup has been less than useful for a decade is no reason not to fix it now. :) > JFTR, If common-session gets this setting then su would also given it > includes common-session. Good point. > Setting the pam bug as a blocker for now, but likely this bug report > should just be reassigned, (force)merged and set as affects util-linux, > et.al. To me it seem more sensible to submit the patch to <URL: https://github.com/linux-pam/linux-pam/ > and try to get it into upstream as soon as possible. > Question remains though how we get some movement on the pam side, should > we just NMU it? Do most people agree we should just use 'usergroups' > rather than go the ubuntu way of USERGROUPS_ENAB setting? A useful usecase to consider is a site with a LDAP directory with thousands of users, and home directories on a central server, using some configuration management system to control a large set of computers. In such setting, I suspect it will be easier to change the USERGROUPS_ENAB setting in /etc/login.defs than to modify the content of /usr/share/pam-configs/ by providing a replacement debian package to override the default pam.d configuration. This make me suspect the current ubuntu way is better than the 'usergroups' approach. I suggest to ask Steve about his view on this, as he know PAM a lot better than me. Cc to Steve and Martin, hoping they can provide useful input. -- Happy hacking Petter Reinholdtsen
