Re: Subject: UMASK 002 or 022?

2017-06-28 Thread Paul Wise 
On Thu, Jun 29, 2017 at 12:21 AM,  gwmfms6 wrote:

> Paul, you seemed to indicate that you were able to set a different "user
> default" umask in Stretch that's respected by gnome apps like gedit?

No, I didn't indicate that. See my other reply for clarification.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Re: Subject: UMASK 002 or 022?

2017-06-28 Thread gwmfms6 
My thinking in advocating for OTHER being 7 (ie, 027 or 077) was that 
the incidents when someone wants OTHER to have access to their files are 
fewer than when they do not want OTHER to have access. Do users 
generally want OTHER to be able to read all their files? Or do they have 
a particular set of files that they want OTHER to be able to 
access/read? In this context it makes more sense to me to put the burden 
on adjusting those specific files that the user wants OTHER to have 
access to instead of having them that way by default. Having to adjust 
those specific files also reinforces to the user what they are doing 
(ie, they are giving the world access to those particular files).




On 2017-06-28 07:25, Ian Jackson wrote:

Paul Wise writes ("Re: Subject: UMASK 002 or 022?"):

On Wed, Jun 28, 2017 at 1:11 AM,  gwmfms6 wrote:
> This discussion should be on whether to set a default UMASK of 077 or 027.

I think the appropriate default umask is 077 due to the possibility of
some sites not naming the primary group of each user after the user.


The appropriate default umask is 002 if the user's primary group is
named after the user, or 022 otherwise.

If only we had some kind of automated information processing equipment
which could collect necessary inputs and then make correct decisions.

Ian.

Re: Subject: UMASK 002 or 022?

2017-06-28 Thread gwmfms6 
Paul, you seemed to indicate that you were able to set a different "user 
default" umask in Stretch that's respected by gnome apps like gedit? How 
did you do it?



On 2017-06-28 09:21, Paul Wise wrote:

On Wed, Jun 28, 2017 at 7:25 PM, Ian Jackson wrote:


The appropriate default umask is 002 if the user's primary group is
named after the user, or 022 otherwise.


AFAICT, neither of these achieve what the initiator of the thread
wants to achieve; no read access by other users to one's files on
multi-user systems by default.

Re: Subject: UMASK 002 or 022?

2017-06-28 Thread Paul Wise 
On Wed, Jun 28, 2017 at 8:59 PM,  gwmfms6 wrote:

> You didn't notice because you run umask from your shell configuration?

I should clarify, I meant bash shell not gnome-shell.

>  In other words, you have a working umask in Stretch?

In my terminals yes, but not in apps launched from the GUI.

> Can you tell me how to "run `umask 027` from my shell configuration"?

I have the equivalent of this:

echo 'umask 027' >> ~/.bashrc

> Currently, I have not found a way to get gnome to respect umask setting in 
> Stretch.

No idea how to do that.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Re: Subject: UMASK 002 or 022?

2017-06-28 Thread gwmfms6 
You didn't notice because you run umask from your shell configuration? 
In other words, you have a working umask in Stretch?


I want a working umask in stretch. Can you tell me how to "run `umask 
027` from my shell configuration"? Currently, I have not found a way to 
get gnome to respect umask setting in Stretch.



On 2017-06-28 00:14, Paul Wise wrote:

I had "UMASK 027" in /etc/login.defs and I didn't notice that this no
longer works because I also run `umask 027` from my shell
configuration. If you can track down why this no longer works, please
file a bug about it and convince the maintainer to fix it in stretch.

Re: Subject: UMASK 002 or 022?

2017-06-28 Thread gwmfms6 

Setting umask in ~/.profile on Jessie works for me.


On 2017-06-28 01:04, Arto Jantunen wrote:

It doesn't work since pam_umask isn't run by default. However as far as
I know this has been the case for a very long time (the oldest install 
I

can check quickly is squeeze and it has the same issue).

Re: Subject: UMASK 002 or 022?

2017-06-28 Thread Paul Wise 
On Wed, Jun 28, 2017 at 7:25 PM, Ian Jackson wrote:

> The appropriate default umask is 002 if the user's primary group is
> named after the user, or 022 otherwise.

AFAICT, neither of these achieve what the initiator of the thread
wants to achieve; no read access by other users to one's files on
multi-user systems by default.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Re: Subject: UMASK 002 or 022?

2017-06-28 Thread Ian Jackson 
Paul Wise writes ("Re: Subject: UMASK 002 or 022?"):
> On Wed, Jun 28, 2017 at 1:11 AM,  gwmfms6 wrote:
> > This discussion should be on whether to set a default UMASK of 077 or 027.
> 
> I think the appropriate default umask is 077 due to the possibility of
> some sites not naming the primary group of each user after the user.

The appropriate default umask is 002 if the user's primary group is
named after the user, or 022 otherwise.

If only we had some kind of automated information processing equipment
which could collect necessary inputs and then make correct decisions.

Ian.

Subject: UMASK 002 or 022?

2017-06-28 Thread gwmfms6 
I'd like to know why giving the world (Other) read access is even under 
consideration. If user wants a file to have Other readability this 
should be on the user to set it, but it should not be the default.


What is the justification that every user be able to read every other 
user's documents?


This discussion should be on whether to set a default UMASK of 077 or 
027.



NOTE: this discussion is made all the more important currently because 
it seems impossible to set a UMASK at all on Debian Stretch. None of the 
usual ways work within gnome on Debian Stretch. Can anyone comment on 
this fact? How does one get gnome to respect the umask value that's set 
in ~/.profile? Or if not ~/.profile where does one set the default umask 
value for gnome?

Re: Subject: UMASK 002 or 022?

2017-06-28 Thread Simon Richter 
Hi,

On 27.06.2017 19:11, gwmf...@openmailbox.org wrote:

> I'd like to know why giving the world (Other) read access is even under
> consideration. If user wants a file to have Other readability this
> should be on the user to set it, but it should not be the default.

That can be solved by excluding people from the directory the files are
in -- in order to access a file, all directories on the way there need
to have at least 'x' permission for the current user.

So, an umask of 022 and having each user in a single-member primary
group gives the user all options:

 - To make your home directory completely private, chmod it to 750 (the
group permissions don't matter really, because there is no one else in
the group).

 - To allow other users to pass through your home directory (e.g. the
webserver on the way to ~/public_html), chmod your home to 751.

 - To create a directory that a group of users may write to, use chgrp
and then set permissions to 2770 (or 2775, if others should also be able
to read).

The Debian installation used to ask whether home directories should be
private by default, IIRC that question still exists but is too low
priority to be shown outside of expert mode. You can use

dpkg-reconfigure adduser

to set this up, then new user home directories will be created with 750
permissions.

This method allows a one-time setup of desired behaviour, while the
umask would need to be set at every login, and if it weren't set up
correctly, this would lead to files having the wrong permission with no
warning -- that's why it's more robust to just create files as readable
for others and lock them out of the entire home directory.

> What is the justification that every user be able to read everyone
> else's documents?

That depends on your use case. At university, we generally left the home
directory open, and kept a separate ~/private directory with restrictive
permissions, because it allowed us to easily share non-private files by
just telling people to get them from our home directories.

   Simon




signature.asc
Description: OpenPGP digital signature

Re: Subject: UMASK 002 or 022?

2017-06-28 Thread Philip Hands 
Paul Wise  writes:

> On Wed, Jun 28, 2017 at 1:11 AM,  gwmfms6 wrote:
>
>> I'd like to know why giving the world (Other) read access is even under
>> consideration. If user wants a file to have Other readability this should be
>> on the user to set it, but it should not be the default.
>
> I expect for most Debian deployments this isn't that relevant, since
> most are either servers with no real users or single-user systems with
> no guest account.
>
>> What is the justification that every user be able to read everyone else's
>> documents?
>
> This decision was made in the mists of time and has never been questioned.
>
>> This discussion should be on whether to set a default UMASK of 077 or 027.
>
> I think the appropriate default umask is 077 due to the possibility of
> some sites not naming the primary group of each user after the user.

077 is poor choice of default given that we decided to have users in
their own dedicated group precisely to allow more generous group
permissions, and if someone decides to deviate from that policy they
need to take care of the consequences of their actions.

In case anyone is wondering why we have users in their own group is it
to allow one to create shared group directories, with the group s-bit
set, so that anyone in that group can create files in that directory.

If one has a 077 umask, that results in files in s-bit directories being
created that only the creator can read, which is almost certainly not
what you wanted.

To fix that, one sets a umask of something like 027 or 022 or 002
depending on your needs, but on traditional *nix systems all users would
generally be in a users or staff group, so you just gave
overly-permissive access to your home directory by doing that -- hence
the dedicated per-user groups.

> That said, 027 would probably be a reasonable default too since most
> sites do not do that.

I think 027 is much easier to justify, is seems likely that anyone that
prefers 022 over 027 is more likely to know why.

Cheers, Phil.
-- 
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,GERMANY


signature.asc
Description: PGP signature

Re: Subject: UMASK 002 or 022?

2017-06-27 Thread Arto Jantunen 
Paul Wise  writes:
> On Wed, Jun 28, 2017 at 1:11 AM,  gwmfms6 wrote:
>> NOTE: this discussion is moot at the present time anyway because it is
>> impossible to set a UMASK at all on Debian Stretch. None of the usual ways
>> work within gnome on Debian Stretch. Can anyone comment on this fact?
>
> I had "UMASK 027" in /etc/login.defs and I didn't notice that this no
> longer works because I also run `umask 027` from my shell
> configuration. If you can track down why this no longer works, please
> file a bug about it and convince the maintainer to fix it in stretch.

It doesn't work since pam_umask isn't run by default. However as far as
I know this has been the case for a very long time (the oldest install I
can check quickly is squeeze and it has the same issue).

-- 
Arto Jantunen

Re: Subject: UMASK 002 or 022?

2017-06-27 Thread Paul Wise 
On Wed, Jun 28, 2017 at 1:11 AM,  gwmfms6 wrote:

> I'd like to know why giving the world (Other) read access is even under
> consideration. If user wants a file to have Other readability this should be
> on the user to set it, but it should not be the default.

I expect for most Debian deployments this isn't that relevant, since
most are either servers with no real users or single-user systems with
no guest account.

> What is the justification that every user be able to read everyone else's
> documents?

This decision was made in the mists of time and has never been questioned.

> This discussion should be on whether to set a default UMASK of 077 or 027.

I think the appropriate default umask is 077 due to the possibility of
some sites not naming the primary group of each user after the user.
That said, 027 would probably be a reasonable default too since most
sites do not do that.

> NOTE: this discussion is moot at the present time anyway because it is
> impossible to set a UMASK at all on Debian Stretch. None of the usual ways
> work within gnome on Debian Stretch. Can anyone comment on this fact?

I had "UMASK 027" in /etc/login.defs and I didn't notice that this no
longer works because I also run `umask 027` from my shell
configuration. If you can track down why this no longer works, please
file a bug about it and convince the maintainer to fix it in stretch.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Subject: UMASK 002 or 022?

2017-06-27 Thread gwmfms6 
I'd like to know why giving the world (Other) read access is even under 
consideration. If user wants a file to have Other readability this 
should be on the user to set it, but it should not be the default.


What is the justification that every user be able to read everyone 
else's documents?


This discussion should be on whether to set a default UMASK of 077 or 
027.



NOTE: this discussion is moot at the present time anyway because it is 
impossible to set a UMASK at all on Debian Stretch. None of the usual 
ways work within gnome on Debian Stretch. Can anyone comment on this 
fact?