FS#44677 - [shadow] Upstream inconsistency on umask
Attached to Project:
Arch Linux
Opened by Earnestly (Earnest) - Tuesday, 21 April 2015, 12:24 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 18 June 2016, 14:31 GMT
Opened by Earnestly (Earnest) - Tuesday, 21 April 2015, 12:24 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 18 June 2016, 14:31 GMT
|
Details
Upstream shadow includes a login.defs which sets UMASK to
022 while the
login.defs included in Arch's package sets this to 077. This can cause issues with daemons needing read permissions (torrent clients for example). I'm making this bug report to hopefully get some insight into why Arch deviates from upstream and why it doesn't use the login.defs provided by upstream. Thanks |
This task depends upon
Closed by Dave Reisner (falconindy)
Saturday, 18 June 2016, 14:31 GMT
Reason for closing: None
Additional comments about closing: If you need something more permissive, systemd will let you configure this on a case-by-case basis. I think we're doing the right thing by providing a more secure umask by default.
Saturday, 18 June 2016, 14:31 GMT
Reason for closing: None
Additional comments about closing: If you need something more permissive, systemd will let you configure this on a case-by-case basis. I think we're doing the right thing by providing a more secure umask by default.
1) /etc/login.defs declares it as 0077
2) /etc/profile declares it as 0022
I guess this means interactive users get 0022, non-interactive get 0077. That's kind of weird, but personally I'd prefer to err on the side of being more secure (so that's a reason to veer from the generally not-sane shadow upstream). For daemons launched by systemd, you have the additional option of setting UMask in the [Service] section in case your daemon does need to write group or world-readable files.