Did some more testing.
useradd uses USERGROUPS_ENAB in /etc/login.defs and adduser uses
USERGROUPS in /etc/adduser.conf
This is only used for creating new users.
Active users, independent by which tool they were created, use UMASK in
/etc/login.defs (since Trixie). When the primary group name is the same
username, then group permissions are equal to owner permissions. The
'group' entry in the UMASK value is ommited.
Only way to get a different umask for 'group' relative to 'owner' is
setting umask in /etc/profile. Services/applications started by systemd
don't use /etc/profile and 'UMask' in systemd seems non-functional so
there is no way to get an effective umask of 022 in kde/plasma.
I only use single user systems and prefer UPG with umask 022. I don't
share files with other users on my systems, but I do make system config
files as a user. When deploying these files to the system and changing
to root:root, I now need an extra step to remove the write permission
from 'group' for these files.
My options at the moment are basically or changing to a non systemd
started DE (from Plasma to xfce for example) or disabling UPG on my
systems by changing the primary group to 'users' and 'chmod' all my 664
files and 775 directories to 644/755 and 'chown' the group to 'users'
(from jack:jack 664 to jack:users 644)
It also seems a security concern that this change was not prominently
communicated in the release notes of Trixie. Not being aware of this
change, could have security implications in certain setups.
