On 5/20/22 21:32, Nico Kadel-Garcia wrote: > On Fri, May 20, 2022 at 9:08 PM Neal Gompa <ngomp...@gmail.com> wrote: >> >> On Fri, May 20, 2022 at 8:13 PM Owen Taylor <otay...@redhat.com> wrote: >>> >>> For years, Red Hat Linux / Fedora systems have had a umask of 0002 for >>> regular users as part of the "user private group" scheme [*]. Basically the >>> idea is that you can set a directory group-sticky and use it as a common >>> work area for a group of users. >>> >>> A change a couple of years ago seems to have partially changed this - the >>> code in /etc/profile was removed with the idea that it should be controlled >>> by pam_umask / login.defs instead. >>> >>> >>> https://pagure.io/setup/c/102b349c39e196cc1e34e645c9310acdab7afeef?branch=master >>> https://bugzilla.redhat.com/show_bug.cgi?id=1722387 >>> >>> However, the corresponding code in /etc/bashrc was left .This means that >>> for a *login* shell (VT, ssh session, etc.) the umask is 0022 but for an >>> interactive *non-login* shell (e.g., gnome-terminal with default settings) >>> the umask stayed 0002. >>> >>> I'm not sure how much the change from 0002 to 0022 was thought through - >>> that idea first appears in >>> https://bugzilla.redhat.com/show_bug.cgi?id=1722387#c4 with Tomas Mraz >>> saying: I do not think that the default umask should be 002 for regular >>> users." - I would have expected a short change proposal, honestly. >>> >>> It seems like we need to do one of two things: >>> >>> - Go back to the old behavior, maybe by using the usergroups option to >>> pam_umask and removing the code from /etc/bashrc >>> - Or just go fully to 0022 by removing the code from /etc/bashrc. >>> >>> What do people think? If the current situation has lasted for several >>> years, it clearly isn't *that* much of a concern to most people :-) >>> >>> - Owen >>> >>> [*] >>> https://docs.fedoraproject.org/en-US/fedora/latest/system-administrators-guide/basic-system-configuration/Managing_Users_and_Groups/#s2-users-groups-private-groups >>> >> >> I think we should complete the transition to 0022 umask. IIRC, this is >> how most Linux distributions have it work today, so we should fall in >> line here, unless there's a compelling reason not to. > > This came up for me a few days ago. Some high security distributions > elect to set the umask to '077' by default, typically though a setting > in /etc/profile.d/, so that sharing with the group or with others > requires specific steps.
I think Fedora should go use an 0077 umask for this reason. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
