Can someone explain why we are still using a umask of 022 in ubuntu and debian?
Would it really be so hard to make that switch to a more privacy focused umask?
Can someone explain why we are still using a umask of 022 in ubuntu and debian?
Would it really be so hard to make that switch to a more privacy focused umask?
Because in June 2005 the simple response to the Debian bug filed in September 2004 was to comment the global setting out of /etc/login.defs rather than change it to 0027. And after some back and forth there's now the explanation in /etc/login.defs that you can read today (q.v.).
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=269583
Doesn't feel like much of an explanation to me.
That comment was in Bullseye. In Trixie's /etc/login.defs the comment is gone.
With Trixie, PAM's "User Private Groups" are by default enabled and default umask thus is 002 instead of 022.
(Personally, I'm irritated by the rather silent way this invasive change got introduced -- it is mentioned in /usr/share/doc/libpam-modules/NEWS.Debian.gz together with instructions to restore the old behavior.)
Ah the classic "There is no One True Answer so it's ok to default to a bad answer".
And also, some tools still break when using the non-default umask.
Yes, yes, we all run Postgres in containers, but if you don't, and you upgrade to a new Postgres major version, gladly using the Debian scripts that make it all more comfortable, while using umask 027, you will enjoy your day. Though I don't remember if those upgrade-scripts where from Debian proper or from Postgres.
Since that experience I always wondered what other tools may have such bugs lurking around.
Is this really a big deal on effectively single user systems with in-person hardware? On the other hand, why is this such a hard decision for Debian to make?