On Mon, Aug 09, Ludwig Nussel wrote:
Ubuntu on the other hand seems to have patched pam_umask to read /etc/login.defs for USERGROUPS_ENAB and sets umask based on that. So login shells also have 0002.
If we do that, we have a big security problem, as USERGROUPS_ENAB tells you only if in the future created users will have private user groups, but does not tell you anything about existing ones. So all users in a shared "users" group would suddenly have a UMASK 0002 and all other people could write to newly created files of this user.
Anyway IMO if we already change an age old default of SUSE systems then please let's do it with all benefits. Just have to decide whether to copy Fedora or Ubuntu.
If you have a got solution how to handle existing, non private user groups using accounts... Neither the Ubuntu nor the Fedora way solves this. Thorsten -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg)