On Sun, 22 May 2022 at 06:52, Zbigniew Jędrzejewski-Szmek <zbys...@in.waw.pl> wrote:
> On Sun, May 22, 2022 at 10:30:48AM +0200, Vitaly Zaitsev via devel wrote: > > On 21/05/2022 20:57, Demi Marie Obenour wrote: > > > I think Fedora should go use an 0077 umask for this reason. > > > > Fedora is a general purpose distribution, so umask 0077 will create more > > problems than it solves. > > > > Also by default the /home directories have 0700 chmod so no one but the > > owner can access the files. > > > > 0022 will be better, IMO. > > It doesn't make sense to vote which setting is best. We have a > configuration mechinism in /etc/login.defs which allows the > administrator to set a suitable default, and the other parts of the > distro must respect this configuration setting. (And as a distro, > we just make sure that the default value of the default is consistent > with other defaults, in particular how we set up users and groups.) > > In the ancient times, it made sense for the login shell to set the > umask because it was the first program running as the user and the > settings it applied were inherited by all of the user session. But now > the shell is normally started as a child of other processes of the user, > so something else has to set those settings, and it stopped making sense > for the shell to try to set up the environment [*]. > > This is clearly described in > https://bugzilla.redhat.com/show_bug.cgi?id=1940375: > > please change /etc/bashrc to only touch umask if it is 000, and > > leave the existing setting otherwise. > > This will resolve this discussion and fix other bugs too. > > Zbyszek > > > [*] The only caveat to this is that when shell is started like > init=/bin/bash, it *is* the first thing running, and it needs to set > the umask in that case. > > There used to be another caveat that has been a pain in the butt in the past has been that umask 0077 would get used by dnf/rpm to install the packages. You could run into a case where nothing but root could run many packages because various files in /etc /usr/bin and /bin were -rwx------ after doing an update. I think that was fixed over time, but I have run into it a couple of times when a system has been set up this way and various programs are not working anymore due to the system umask. -- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure