* Reinhard Tartler <siret...@debian.org> [100517 08:56]: > Let's have a look at the source. Note that options->usergroups is set > iff the option "usergroups" is used. > > ,----[modules/pam_umask/pam_umask.c] > | /* Set the process nice, ulimit, and umask from the > | password file entry. */ > | static void > | setup_limits_from_gecos (pam_handle_t *pamh, options_t *options, > | struct passwd *pw) > | { > | char *cp; > | > | if (options->usergroups) > | { > | /* if not root, and UID == GID, and username is the same as > | primary group name, set umask group bits to be the same as > | owner bits (examples: 022 -> 002, 077 -> 007). */ > | if (pw->pw_uid != 0 && pw->pw_uid == pw->pw_gid) > | { > | struct group *grp = pam_modutil_getgrgid (pamh, pw->pw_gid); > | if (grp && (strcmp (pw->pw_name, grp->gr_name) == 0)) > | { > | mode_t oldmask = umask (0777); > | umask ((oldmask & ~070) | ((oldmask >> 3) & 070)); > | } > | } > | } > `---- > > This part of pam seems to match the documentation in pam_umask(8). > > > And it was said in this thread that UID == GID is not always true with > > UPG. You only need to create a group for that to become false for users > > you would create afterwards. > > I'd say if Debian's idea of UPG doesn't match pam's, we should either > change the pam implementation or the implementation of Debian's UPG > concept to match each other. > > In any case, using pam_umask by default seems to the best approach so far.
This looks like a bug in pam_umask. UPG has never guaranteed uid=gid. I'll file a bug. ...Marvin -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100517133405.gf1...@cleo.wdw