On Tue, May 18, 2010 at 10:08:17AM +0000, Philipp Kern wrote: > On 2010-05-18, Christoph Anton Mitterer <cales...@scientia.net> wrote: > > Not to speak about, that UPG is anyway a questionable abuse of the > > user/group concept. > > > > Neither to speak about the fact, that in the 17 years debian exists > > now,... no majority missed that "feature" (apparently). > > So you present that as universal facts as if you've booked the truth > (possibly a bad translation of a German saying). > > I think that feature is useful for all those who don't want to mess > with ACLs. If you are not allowed to use ACLs and don't have UPG > with sane umasks collaboration is painful (see e.g. Debian infrastrure > with all users being in group Debian and default umask 0022 which > leads to wrong permissions in setgid directories, with ACLs being > disallowed). So indeed I got a script which does newgrp and > setting the umask for me which I run whenever I want to do release > tasks. But it would be more sane if the user wouldn't have to > care about that.
Let me quote from the comments in /etc/login.defs: # 022 is the "historical" value in Debian for UMASK when it was used # 027, or even 077, could be considered better for privacy # There is no One True Answer here : each sysadmin must make up his/her # mind. And that's exactly the problem: there is no one-size-fits-all for the umask. Yes, for collaboration in a setgid directory you'd have to use 002 and thanks to UPG this is possible without compromising security. But I consider this just a special case. There are cases where Debian runs in a non-UPG environment, where you can't use that umask. And I don't think that's uncommon. Think of a mixed environment with Windows, where you might have a samba domain in LDAP. And last time I checked, the smbldap-tools didn't support UPG. So whatever value is used as the default, half of the users will have to change it anyway, to fit their needs. And in such a case, where there is no single optimal value, I'd rather have the most conservative as default. If the umask is 022 and you create a setgid directory and forget to change the umask, you will quickly realise that things are not working as expected and fix it. If the umask is 002 and you add your Debian system to a non-UPG environment and forget to change the umask, things will still work perfectly but you put all your files at risk and might not even realise it until it is too late. Cheers, harry -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100518131240.ga4...@sbs288.lan
