On Sun, 22 May 2022 at 06:52, Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> wrote:
On Sun, May 22, 2022 at 10:30:48AM +0200, Vitaly Zaitsev via devel wrote:
> On 21/05/2022 20:57, Demi Marie Obenour wrote:
> > I think Fedora should go use an 0077 umask for this reason.
>
> Fedora is a general purpose distribution, so umask 0077 will create more
> problems than it solves.
>
> Also by default the /home directories have 0700 chmod so no one but the
> owner can access the files.
>
> 0022 will be better, IMO.
It doesn't make sense to vote which setting is best. We have a
configuration mechinism in /etc/login.defs which allows the
administrator to set a suitable default, and the other parts of the
distro must respect this configuration setting. (And as a distro,
we just make sure that the default value of the default is consistent
with other defaults, in particular how we set up users and groups.)
In the ancient times, it made sense for the login shell to set the
umask because it was the first program running as the user and the
settings it applied were inherited by all of the user session. But now
the shell is normally started as a child of other processes of the user,
so something else has to set those settings, and it stopped making sense
for the shell to try to set up the environment [*].
This is clearly described in https://bugzilla.redhat.com/show_bug.cgi?id=1940375:
> please change /etc/bashrc to only touch umask if it is 000, and
> leave the existing setting otherwise.
This will resolve this discussion and fix other bugs too.
Zbyszek
[*] The only caveat to this is that when shell is started like
init=/bin/bash, it *is* the first thing running, and it needs to set
the umask in that case.
There used to be another caveat that has been a pain in the butt in the past has been that umask 0077 would get used by dnf/rpm to install the packages. You could run into a case where nothing but root could run many packages because various files in /etc /usr/bin and /bin were -rwx------ after doing an update. I think that was fixed over time, but I have run into it a couple of times when a system has been set up this way and various programs are not working anymore due to the system umask.
Stephen Smoogen, Red Hat Automotive
Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure