On Wed, Jun 22, 2011 at 08:28:38AM +0200, Martin Pitt wrote: > An alternative would be to comment out the UMASK setting by default, > and only then have pam_umask default to an implicit "022, with > USERGROUPS_ENAB relaxing to 002". As soon as login.defs, > /etc/default/login, or any of the other places that pam_umask looks > for (GECOS, etc.) would define an umask setting, it would use that, > and only that. The advantage is that this behaves more predictably (if > I configure an umask, I get it), but it comes at the expense of not > making UPG magically work if you set UMASK=077 (which is also a common > default).
> For now I'm leaning towards the original proposal here, which also > seems to be consistent with the pre-PAM age. Yep, I've just looked over the shadow code that handles USERGROUPS_ENAB; you (and ceg) are correct that the USERGROUPS_ENAB option should twiddle the umask rather than overriding it entirely. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: Digital signature