On Fri, Jan 02, 2026 at 06:22:30PM +0000, Richard Lewis wrote: > /usr/share/doc/libpam-modules/NEWS.Debian.gz has something about > usergroups but it's not very informative
That file however answers a lot of the following questions. Let me copy it here: | Starting with PAM version 1.5.3, Debian supports usergroups for default | umask of users logging in. If the primary group name of a user | matches their primary user name (user pat's default group is also | called pat), then files will be group writable by default. To disable | this use a group name that differs from the user name or add | nousergroups to the pam_umask line in | /etc/pam.d/common-session and | /etc/pam.d/common-session-noninteractive: | | session optional pam_umask.so nousergroups | | | -- Sam Hartman <[email protected]> Mon, 08 Apr 2024 16:15:58 -0600 > * what is the new default umask in trixie > -- if this is different for new/upgraded systems say what these are > -- if there are differences for login via console/ssh say what they are This is not answered directly, but the advice for disabling is to edit both common-session and common-session-noninteractive, so one can reasonable assume it applies to all PAM sessions. If you have a session that is not managed by PAM, you are on your own anyway. For the actual default, per the explanation it depends on your primary group name. > * what was the default in bookworm Unclear. The default in bookworm depended on different things, IIRC. > * what are the main consequences See above: | If the primary group name of a user | matches their primary user name (user pat's default group is also | called pat), then files will be group writable by default. > * what file(s) should be edited to change the default See above: | To disable | this use a group name that differs from the user name or add | nousergroups to the pam_umask line in | /etc/pam.d/common-session and | /etc/pam.d/common-session-noninteractive: | | session optional pam_umask.so nousergroups C.
