Hacker News

JdeBP 6 days ago [ - ]

Because in June 2005 the simple response to the Debian bug filed in September 2004 was to comment the global setting out of /etc/login.defs rather than change it to 0027. And after some back and forth there's now the explanation in /etc/login.defs that you can read today (q.v.).

* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=269583

h43z 6 days ago [ - ]

Doesn't feel like much of an explanation to me.

  # UMASK is the default umask value for pam_umask and is used by
  # useradd and newusers to set the mode of the new home directories.
  # 022 is the "historical" value in Debian for UMASK
  # 027, or even 077, could be considered better for privacy
  # There is no One True Answer here : each sysadmin must make up his/her
  # mind.

0x0dd 6 days ago [ - ]

That comment was in Bullseye. In Trixie's /etc/login.defs the comment is gone.

With Trixie, PAM's "User Private Groups" are by default enabled and default umask thus is 002 instead of 022.

(Personally, I'm irritated by the rather silent way this invasive change got introduced -- it is mentioned in /usr/share/doc/libpam-modules/NEWS.Debian.gz together with instructions to restore the old behavior.)

IshKebab 6 days ago [ - ]

Ah the classic "There is no One True Answer so it's ok to default to a bad answer".

eurg 6 days ago [ - ]

And also, some tools still break when using the non-default umask.

Yes, yes, we all run Postgres in containers, but if you don't, and you upgrade to a new Postgres major version, gladly using the Debian scripts that make it all more comfortable, while using umask 027, you will enjoy your day. Though I don't remember if those upgrade-scripts where from Debian proper or from Postgres.

Since that experience I always wondered what other tools may have such bugs lurking around.