Re: Subject: UMASK 002 or 022?
On Thu, Jun 29, 2017 at 12:21 AM, gwmfms6 wrote: > Paul, you seemed to indicate that you were able to set a different "user > default" umask in Stretch that's respected by gnome apps like gedit? No, I didn't indicate that. See my other reply for clarification. -- bye, pabs https://wiki.debian.org/PaulWise
Re: Subject: UMASK 002 or 022?
My thinking in advocating for OTHER being 7 (ie, 027 or 077) was that the incidents when someone wants OTHER to have access to their files are fewer than when they do not want OTHER to have access. Do users generally want OTHER to be able to read all their files? Or do they have a particular set of files that they want OTHER to be able to access/read? In this context it makes more sense to me to put the burden on adjusting those specific files that the user wants OTHER to have access to instead of having them that way by default. Having to adjust those specific files also reinforces to the user what they are doing (ie, they are giving the world access to those particular files). On 2017-06-28 07:25, Ian Jackson wrote: Paul Wise writes ("Re: Subject: UMASK 002 or 022?"): On Wed, Jun 28, 2017 at 1:11 AM, gwmfms6 wrote: > This discussion should be on whether to set a default UMASK of 077 or 027. I think the appropriate default umask is 077 due to the possibility of some sites not naming the primary group of each user after the user. The appropriate default umask is 002 if the user's primary group is named after the user, or 022 otherwise. If only we had some kind of automated information processing equipment which could collect necessary inputs and then make correct decisions. Ian.
Re: Subject: UMASK 002 or 022?
Paul, you seemed to indicate that you were able to set a different "user default" umask in Stretch that's respected by gnome apps like gedit? How did you do it? On 2017-06-28 09:21, Paul Wise wrote: On Wed, Jun 28, 2017 at 7:25 PM, Ian Jackson wrote: The appropriate default umask is 002 if the user's primary group is named after the user, or 022 otherwise. AFAICT, neither of these achieve what the initiator of the thread wants to achieve; no read access by other users to one's files on multi-user systems by default.
Re: Subject: UMASK 002 or 022?
On Wed, Jun 28, 2017 at 8:59 PM, gwmfms6 wrote: > You didn't notice because you run umask from your shell configuration? I should clarify, I meant bash shell not gnome-shell. > In other words, you have a working umask in Stretch? In my terminals yes, but not in apps launched from the GUI. > Can you tell me how to "run `umask 027` from my shell configuration"? I have the equivalent of this: echo 'umask 027' >> ~/.bashrc > Currently, I have not found a way to get gnome to respect umask setting in > Stretch. No idea how to do that. -- bye, pabs https://wiki.debian.org/PaulWise
Re: Subject: UMASK 002 or 022?
You didn't notice because you run umask from your shell configuration? In other words, you have a working umask in Stretch? I want a working umask in stretch. Can you tell me how to "run `umask 027` from my shell configuration"? Currently, I have not found a way to get gnome to respect umask setting in Stretch. On 2017-06-28 00:14, Paul Wise wrote: I had "UMASK 027" in /etc/login.defs and I didn't notice that this no longer works because I also run `umask 027` from my shell configuration. If you can track down why this no longer works, please file a bug about it and convince the maintainer to fix it in stretch.
Re: Subject: UMASK 002 or 022?
Setting umask in ~/.profile on Jessie works for me. On 2017-06-28 01:04, Arto Jantunen wrote: It doesn't work since pam_umask isn't run by default. However as far as I know this has been the case for a very long time (the oldest install I can check quickly is squeeze and it has the same issue).
Re: Subject: UMASK 002 or 022?
On Wed, Jun 28, 2017 at 7:25 PM, Ian Jackson wrote: > The appropriate default umask is 002 if the user's primary group is > named after the user, or 022 otherwise. AFAICT, neither of these achieve what the initiator of the thread wants to achieve; no read access by other users to one's files on multi-user systems by default. -- bye, pabs https://wiki.debian.org/PaulWise
Re: Subject: UMASK 002 or 022?
Paul Wise writes ("Re: Subject: UMASK 002 or 022?"): > On Wed, Jun 28, 2017 at 1:11 AM, gwmfms6 wrote: > > This discussion should be on whether to set a default UMASK of 077 or 027. > > I think the appropriate default umask is 077 due to the possibility of > some sites not naming the primary group of each user after the user. The appropriate default umask is 002 if the user's primary group is named after the user, or 022 otherwise. If only we had some kind of automated information processing equipment which could collect necessary inputs and then make correct decisions. Ian.
Subject: UMASK 002 or 022?
I'd like to know why giving the world (Other) read access is even under consideration. If user wants a file to have Other readability this should be on the user to set it, but it should not be the default. What is the justification that every user be able to read every other user's documents? This discussion should be on whether to set a default UMASK of 077 or 027. NOTE: this discussion is made all the more important currently because it seems impossible to set a UMASK at all on Debian Stretch. None of the usual ways work within gnome on Debian Stretch. Can anyone comment on this fact? How does one get gnome to respect the umask value that's set in ~/.profile? Or if not ~/.profile where does one set the default umask value for gnome?
Re: Subject: UMASK 002 or 022?
Hi, On 27.06.2017 19:11, gwmf...@openmailbox.org wrote: > I'd like to know why giving the world (Other) read access is even under > consideration. If user wants a file to have Other readability this > should be on the user to set it, but it should not be the default. That can be solved by excluding people from the directory the files are in -- in order to access a file, all directories on the way there need to have at least 'x' permission for the current user. So, an umask of 022 and having each user in a single-member primary group gives the user all options: - To make your home directory completely private, chmod it to 750 (the group permissions don't matter really, because there is no one else in the group). - To allow other users to pass through your home directory (e.g. the webserver on the way to ~/public_html), chmod your home to 751. - To create a directory that a group of users may write to, use chgrp and then set permissions to 2770 (or 2775, if others should also be able to read). The Debian installation used to ask whether home directories should be private by default, IIRC that question still exists but is too low priority to be shown outside of expert mode. You can use dpkg-reconfigure adduser to set this up, then new user home directories will be created with 750 permissions. This method allows a one-time setup of desired behaviour, while the umask would need to be set at every login, and if it weren't set up correctly, this would lead to files having the wrong permission with no warning -- that's why it's more robust to just create files as readable for others and lock them out of the entire home directory. > What is the justification that every user be able to read everyone > else's documents? That depends on your use case. At university, we generally left the home directory open, and kept a separate ~/private directory with restrictive permissions, because it allowed us to easily share non-private files by just telling people to get them from our home directories. Simon signature.asc Description: OpenPGP digital signature
Re: Subject: UMASK 002 or 022?
Paul Wisewrites: > On Wed, Jun 28, 2017 at 1:11 AM, gwmfms6 wrote: > >> I'd like to know why giving the world (Other) read access is even under >> consideration. If user wants a file to have Other readability this should be >> on the user to set it, but it should not be the default. > > I expect for most Debian deployments this isn't that relevant, since > most are either servers with no real users or single-user systems with > no guest account. > >> What is the justification that every user be able to read everyone else's >> documents? > > This decision was made in the mists of time and has never been questioned. > >> This discussion should be on whether to set a default UMASK of 077 or 027. > > I think the appropriate default umask is 077 due to the possibility of > some sites not naming the primary group of each user after the user. 077 is poor choice of default given that we decided to have users in their own dedicated group precisely to allow more generous group permissions, and if someone decides to deviate from that policy they need to take care of the consequences of their actions. In case anyone is wondering why we have users in their own group is it to allow one to create shared group directories, with the group s-bit set, so that anyone in that group can create files in that directory. If one has a 077 umask, that results in files in s-bit directories being created that only the creator can read, which is almost certainly not what you wanted. To fix that, one sets a umask of something like 027 or 022 or 002 depending on your needs, but on traditional *nix systems all users would generally be in a users or staff group, so you just gave overly-permissive access to your home directory by doing that -- hence the dedicated per-user groups. > That said, 027 would probably be a reasonable default too since most > sites do not do that. I think 027 is much easier to justify, is seems likely that anyone that prefers 022 over 027 is more likely to know why. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg,GERMANY signature.asc Description: PGP signature
Re: Subject: UMASK 002 or 022?
Paul Wisewrites: > On Wed, Jun 28, 2017 at 1:11 AM, gwmfms6 wrote: >> NOTE: this discussion is moot at the present time anyway because it is >> impossible to set a UMASK at all on Debian Stretch. None of the usual ways >> work within gnome on Debian Stretch. Can anyone comment on this fact? > > I had "UMASK 027" in /etc/login.defs and I didn't notice that this no > longer works because I also run `umask 027` from my shell > configuration. If you can track down why this no longer works, please > file a bug about it and convince the maintainer to fix it in stretch. It doesn't work since pam_umask isn't run by default. However as far as I know this has been the case for a very long time (the oldest install I can check quickly is squeeze and it has the same issue). -- Arto Jantunen
Re: Subject: UMASK 002 or 022?
On Wed, Jun 28, 2017 at 1:11 AM, gwmfms6 wrote: > I'd like to know why giving the world (Other) read access is even under > consideration. If user wants a file to have Other readability this should be > on the user to set it, but it should not be the default. I expect for most Debian deployments this isn't that relevant, since most are either servers with no real users or single-user systems with no guest account. > What is the justification that every user be able to read everyone else's > documents? This decision was made in the mists of time and has never been questioned. > This discussion should be on whether to set a default UMASK of 077 or 027. I think the appropriate default umask is 077 due to the possibility of some sites not naming the primary group of each user after the user. That said, 027 would probably be a reasonable default too since most sites do not do that. > NOTE: this discussion is moot at the present time anyway because it is > impossible to set a UMASK at all on Debian Stretch. None of the usual ways > work within gnome on Debian Stretch. Can anyone comment on this fact? I had "UMASK 027" in /etc/login.defs and I didn't notice that this no longer works because I also run `umask 027` from my shell configuration. If you can track down why this no longer works, please file a bug about it and convince the maintainer to fix it in stretch. -- bye, pabs https://wiki.debian.org/PaulWise
Subject: UMASK 002 or 022?
I'd like to know why giving the world (Other) read access is even under consideration. If user wants a file to have Other readability this should be on the user to set it, but it should not be the default. What is the justification that every user be able to read everyone else's documents? This discussion should be on whether to set a default UMASK of 077 or 027. NOTE: this discussion is moot at the present time anyway because it is impossible to set a UMASK at all on Debian Stretch. None of the usual ways work within gnome on Debian Stretch. Can anyone comment on this fact?