-
Notifications
You must be signed in to change notification settings - Fork 276
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pam_umask: deprecate explicit "usergroups" option in favor of /etc/login.defs #97
base: master
Are you sure you want to change the base?
pam_umask: deprecate explicit "usergroups" option in favor of /etc/login.defs #97
Conversation
…in.defs /etc/login.defs has a USERGROUP_ENAB option with the same semantics as the usergroup module option. If our definition of the umask comes from /etc/login.defs, we should read this setting as well. This restores compatibility with the pre-PAM behaviour of login. See https://blueprints.launchpad.net/ubuntu/+spec/umask-to-0002. Signed-off-by: Martin Pitt <martin.pitt@ubuntu.com> Signed-off-by: Steve Langasek <vorlon@debian.org> Bug-Debian: http://bugs.debian.org/583958
The commit message says about pam_unix but the module being changed is pam_umask; I'm confused. |
The commit message is a typo. It should say pam_umask. |
I think usergroups is rather a distribution option, than a user config switch. I'm mostly interested in distributions being able to set sane defaults. While during my archeology of login.defs for another case I came to a personal conclusion that I'd rather see the /etc/login.defs file deprecated and/or not shipped by default (and thus is no big supporter of moving options to login.defs) I wouldn't care much where this is configured as long as the default is sane (for the distribution shipping pam binaries). Would adding a compile-time option be acceptable to set the usergroups default so that distributions building binaries can use that? (Maybe there are many more options in pam than this one that are distribution choices which needs considerations rather than just looking at this option alone though.) I noticed commit 65d6735 (and looking forward to a release including it), which AIUI allows shipping distribution defaults separately (and leave /etc empty/overridable for user configuration). I however think built-in sane defaults are even better (which eliminates the need to ship vendor configs) thus my above question..... |
The setting from login.defs should not override the pam module command-line option if set (either usergroups or nousergroups as recently merged from #164). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also fix the precedence of command-line options to this.
@@ -115,6 +116,11 @@ | |||
If the user is not root and the username is the same as | |||
primary group name, the umask group bits are set to be the | |||
same as owner bits (examples: 022 -> 002, 077 -> 007). | |||
Note that using this option explicitly is discouraged. pam_umask |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indentation is wrong.
/etc/login.defs has a USERGROUP_ENAB option with the same semantics as the
usergroup module option. If our definition of the umask comes from
/etc/login.defs, we should read this setting as well.
This restores compatibility with the pre-PAM behaviour of login.
See https://blueprints.launchpad.net/ubuntu/+spec/umask-to-0002.
Signed-off-by: Martin Pitt martin.pitt@ubuntu.com
Signed-off-by: Steve Langasek vorlon@debian.org
Bug-Debian: http://bugs.debian.org/583958
This patch has been carried in Ubuntu for a number of years and belongs upstream. I'm happy to discuss whether deprecation of the module option in favor of /etc/login.defs is the right thing to do (IMHO it is).