On Tue, May 18, 2010 at 4:16 PM, Harald Braumann <ha...@unheit.net> wrote: > On Tue, May 18, 2010 at 03:40:06PM +0200, Bastien ROUCARIES wrote: >> On Tue, May 18, 2010 at 3:12 PM, Harald Braumann <ha...@unheit.net> wrote: >> > On Tue, May 18, 2010 at 10:08:17AM +0000, Philipp Kern wrote: >> >> On 2010-05-18, Christoph Anton Mitterer <cales...@scientia.net> wrote: >> >> > Not to speak about, that UPG is anyway a questionable abuse of the >> >> > user/group concept. >> >> > >> >> > Neither to speak about the fact, that in the 17 years debian exists >> >> > now,... no majority missed that "feature" (apparently). >> >> >> >> So you present that as universal facts as if you've booked the truth >> >> (possibly a bad translation of a German saying). >> >> >> >> I think that feature is useful for all those who don't want to mess >> >> with ACLs. If you are not allowed to use ACLs and don't have UPG >> >> with sane umasks collaboration is painful (see e.g. Debian infrastrure >> >> with all users being in group Debian and default umask 0022 which >> >> leads to wrong permissions in setgid directories, with ACLs being >> >> disallowed). So indeed I got a script which does newgrp and >> >> setting the umask for me which I run whenever I want to do release >> >> tasks. But it would be more sane if the user wouldn't have to >> >> care about that. >> > >> > Let me quote from the comments in /etc/login.defs: >> > >> > # 022 is the "historical" value in Debian for UMASK when it was used >> > # 027, or even 077, could be considered better for privacy >> > # There is no One True Answer here : each sysadmin must make up his/her >> > # mind. >> > >> > And that's exactly the problem: there is no one-size-fits-all >> > for the umask. Yes, for collaboration in a setgid directory you'd have >> > to use 002 and thanks to UPG this is possible without compromising >> > security. But I consider this just a special case. There are >> > cases where Debian runs in a non-UPG environment, where you can't use >> > that umask. And I don't think that's uncommon. Think of a mixed >> > environment with Windows, where you might have a samba domain in LDAP. And >> > last time I checked, the smbldap-tools didn't support UPG. >> >> Could you fill a bug report against smbldap-tools ? > > There is already an upstream bug [0], but even if it get's > implemented, that wouldn't magically change all systems out there > running non-UPG > >> >> >> > So whatever value is used as the default, half of the users will have >> > to change it anyway, to fit their needs. And in such a case, where >> > there is no single optimal value, I'd rather have the most >> > conservative as default. >> > >> > If the umask is 022 and you create a setgid >> > directory and forget to change the umask, you will quickly realise >> > that things are not working as expected and fix it. If the umask is >> > 002 and you add your Debian system to a non-UPG environment and forget >> > to change the umask, things will still work perfectly but you put all >> > your files at risk and might not even realise it until it is too >> > late. >> >> Why not add a security dialog and assistant for installing and >> upgrading the system? >> It will ease the transition and fit allt the need, documenting >> drawbacks and advantages of each scheme ? > > A umask of 022 is the right choice for most people and at least > doesn't put the others at risk. Everyone, who knows what a setgid > directory is and how it works, will also know, that there are certain > requirements on the umask. And the others really don't care, as long > as their security is not compromised. > > There is really no need to force everyone to make a useless decision, > just for the sake of a change to make life of a specific minority easier. > > Cheers, > harry > > [0] http://gna.org/support/?2040
Reported as #582388 Thanks -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktik2ugx9aqzveuqjfiko6oqqaq6rcyhzoz_ea...@mail.gmail.com