On Sun, Jul 14, 2024 at 19:09:54 +0200, Hans wrote:

I am wondering, why on a multiuser system like debian the rights for a normal user are "rw- r-- r--", (owner: user and ownergroup: usergroup)

Tradition, and a culture based around sharing.

The Unix culture of openness and freedom (specifically the freedom to distribute your work to others) works best if you can say "Hey Betty,
can you take a look at my .bashrc? I can't get my foo() function to
work." Or "Hey friends, I've made some changes to my bar.c file that
you might want to look at." And then they can just read the files
directly from your home directory.

If you don't like this setting, change it.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Jul 14, 2024 at 19:38:26 +0200, Hans wrote:

Hi Greg,

yes, did already change it. However, this looks like a security hole for me, as I believe, not many people or admins are changing this.

IMO debian should change this in the next release, but I doubt it.

I will ask the security team for it, they will decide.

It is NOT a security issue. Any files that contain secret data are
protected by their individual permissions, as set by the programs
that create them. Like your ssh private keys:

hobbit:~$ ls -l .ssh
total 72
...
-rw------- 1 greg greg 1876 Sep 24 2019 id_rsa
-rw-r--r-- 1 greg greg 394 Sep 24 2019 id_rsa.pub

The other 99.9% of your files are not secret, so they don't need to
be hidden.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Dear list,

I am wondering, why on a multiuser system like debian the rights for a normal user are "rw- r-- r--", (owner: user and ownergroup: usergroup)

Of course there is a reason for this, but it is not understandable for me.


First two are clear: rw for myself, and readable for all users, i am allowing into my own grou.

The last one is not clear for me. Why should I allow the rest of the world
read my personal documents? These are private and no one else should be able
to read them!

So I would have expected a setting of "rw- r-- ---" for any files.

Before someone argues, "you can change this by editing umask", yes, I know of this of course.

But it is not clear for me, why it is set that way by default and not as I would have expected as described above.

Sure, there is a reason for this, so I will be happy, if someone could enlighten me.

Best

Hans

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Greg,

yes, did already change it. However, this looks like a security hole for me,
as I believe, not many people or admins are changing this.

IMO debian should change this in the next release, but I doubt it.

I will ask the security team for it, they will decide.

Have fun!

Hans

Am Sonntag, 14. Juli 2024, 19:18:07 CEST schrieb Greg Wooledge:

On Sun, Jul 14, 2024 at 19:09:54 +0200, Hans wrote:

I am wondering, why on a multiuser system like debian the rights for a normal user are "rw- r-- r--", (owner: user and ownergroup: usergroup)

Tradition, and a culture based around sharing.

The Unix culture of openness and freedom (specifically the freedom to distribute your work to others) works best if you can say "Hey Betty,
can you take a look at my .bashrc? I can't get my foo() function to
work." Or "Hey friends, I've made some changes to my bar.c file that
you might want to look at." And then they can just read the files
directly from your home directory.

If you don't like this setting, change it.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-07-14 19:18, Greg Wooledge wrote:

On Sun, Jul 14, 2024 at 19:09:54 +0200, Hans wrote:

I am wondering, why on a multiuser system like debian the rights for a normal
user are "rw- r-- r--", (owner: user and ownergroup: usergroup)

Tradition, and a culture based around sharing.

The Unix culture of openness and freedom (specifically the freedom to distribute your work to others) works best if you can say "Hey Betty,
can you take a look at my .bashrc? I can't get my foo() function to
work." Or "Hey friends, I've made some changes to my bar.c file that
you might want to look at." And then they can just read the files
directly from your home directory.

If you don't like this setting, change it.

Setting umask in your shell profile isn't that hard indeed. I've doing
that for years. However, that does not mean your DE will honour that
setting. I have tried to do so for KDE (more specifically Krusader), but
I ended up nowhere. I haven't found a setting that will be honoured KDE
wide or even just in Krusader alone.

Grx HdV

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Jul 14, 2024 at 07:44:35PM +0200, Lists wrote:

On 2024-07-14 19:18, Greg Wooledge wrote:

On Sun, Jul 14, 2024 at 19:09:54 +0200, Hans wrote:

I am wondering, why on a multiuser system like debian the rights for a normal
user are "rw- r-- r--", (owner: user and ownergroup: usergroup)

Tradition, and a culture based around sharing.

The Unix culture of openness and freedom (specifically the freedom to distribute your work to others) works best if you can say "Hey Betty,
can you take a look at my .bashrc? I can't get my foo() function to
work." Or "Hey friends, I've made some changes to my bar.c file that
you might want to look at." And then they can just read the files
directly from your home directory.

If you don't like this setting, change it.

Setting umask in your shell profile isn't that hard indeed. I've doing that for years. However, that does not mean your DE will honour that setting. I have tried to do so for KDE (more specifically Krusader), but I ended up nowhere. I haven't found a setting that will be honoured KDE wide or even just in Krusader alone.

The place to do this is the X session [1]; system-wide in /etc/X11/Xsession.d/... and for each user in ~/.xsessionrc.
You might have to set allow-user-session in the global config /etc/X11/Xsession.options to make the second possible.

Cheers

[1] https://wiki.debian.org/Xsession
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZpQRkgAKCRAFyCz1etHa RmPFAJsHdv9G4Cx/rq65rqW4EIdPIP/F0gCfWWnZPxeWsizKaGxe6HE3xvXdwAY=
=hA3o
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hans (12024-07-14):

Greg, I do not agree. If I am writing a document with private content, then I

If you are writing something confidential, it is your responsibility to
lock the door of your office.

Regards,

--
Nicolas George

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Greg, I do not agree. If I am writing a document with private content, then I do not want to let it be read by someone else except me.

No one has to read any letters or cv's or maybe documents for my lawyer, my medic, my friends or whatever.

And after years there are a lot of documents one is writing, many private things.

And i think, no one wants to sharew these with other users on the system!

At least, I won't.

Best

Hans

hobbit:~$ ls -l .ssh
total 72
...
-rw------- 1 greg greg 1876 Sep 24 2019 id_rsa
-rw-r--r-- 1 greg greg 394 Sep 24 2019 id_rsa.pub

The other 99.9% of your files are not secret, so they don't need to
be hidden.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

Hans wrote:

I am wondering, why on a multiuser system like debian the rights for a
normal user are "rw- r-- r--", (owner: user and ownergroup: usergroup)

Because the usual umask of 0022 keeps the more credulous programs from
giving w-permission to everybody.
Any program is free to hand out restricted permission. umask just defines
what such a program shall not get done immediately when the file is
created. Afterwards a program can still widen permissions.

First two are clear: rw for myself, and readable for all users, i am
allowing into my own grou.

It's not necessarily your group, but rather the group to which the file belongs. This is typically the group of the process of the program which creates the file. (Unless it has superuser powers and can change the group
id.)

Shell command "id" can tell your current shells user id and group id
which in most cases are inherited by programs which you start.

$ id
id=number(name) gid=number(name) groups=number(name),...

But there are the programs which are allowed to run under a self chosen
user and group id. (See man 1 chmod permission "s" and man 2 setgid.)


Have a nice day :)

Thomas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Jul 14, 2024 at 19:57:45 +0200, [email protected] wrote:

On Sun, Jul 14, 2024 at 07:44:35PM +0200, Lists wrote:

Setting umask in your shell profile isn't that hard indeed. I've doing that for years. However, that does not mean your DE will honour that setting.

The place to do this is the X session [1]; system-wide in /etc/X11/Xsession.d/... and for each user in ~/.xsessionrc.
You might have to set allow-user-session in the global config /etc/X11/Xsession.options to make the second possible.

Does that work in KDE? As we discovered a few years ago, it doesn't
work in GNOME. GNOME specifically starts up its terminal emulators
via dbus or something, so they aren't children of the GNOME top-level
process, and don't inherit the umask or environment from the session.

I'm totally willing to believe that KDE is different, but it's not
clear whether "Lists" has tried this and failed, or simply didn't know
that it should be done this way.

It would be excellent to receive confirmation from a KDE user, either
way.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

I see itthe other way round. No, if you are in the secure area, it is the responsibility of the owner to make it secure by design i.e with dself closing doors where you can not look into or windows with curtains.

However, I presume, debian wants to be secure. If no one cares and all agree with this (in my personal opinion!) security whole, I will have to accept
this. For myself I found a solution of course, and I just could have not told about it, but I cared for others and tried to put my 2 cents in it, to improve the security of debian.

If this is too much, then we can close this issue at once. Shall we?

Hans

If you are writing something confidential, it is your responsibility to
lock the door of your office.

Regards,

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* 2024-07-14 19:44:35+0200, [email protected] wrote:

Setting umask in your shell profile isn't that hard indeed. I've doing
that for years. However, that does not mean your DE will honour that setting. I have tried to do so for KDE (more specifically Krusader), but
I ended up nowhere. I haven't found a setting that will be honoured KDE
wide or even just in Krusader alone.

I think nowadays systemd has to be told about new umask value. Many
things are branched from [email protected] unit. So, perhaps like this:

# /etc/systemd/system/[email protected]/my-umask.conf

[Service]
UMask=0007

--
/// Teemu Likonen - .-.. https://www.iki.fi/tlikonen/
// OpenPGP: 6965F03973F0D4CA22B9410F0F2CAE0E07608462

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iIYEARYIAC4WIQQL23klfGMkeOvdGCt57xklfWtWWwUCZpQaaBAcdGxpa29uZW5A aWtpLmZpAAoJEHnvGSV9a1ZbYRsA/1mGKslNYmQvJO44ekZXE1FhU5YOhRxCEoHF 5MdpnGZ0APwLyIUbhon8tF5qPMiu0srXAkq18ODLvH2yndpOnymECQ==bxv3
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-07-14 19:43, Me wrote:

Setting umask in your shell profile isn't that hard indeed. I've doing
that for years. However, that does not mean your DE will honour that
setting. I have tried to do so for KDE (more specifically Krusader), but
I ended up nowhere. I haven't found a setting that will be honoured KDE
wide or even just in Krusader alone.

Grx HdV

Twice? My apologies for that. Must have sent that without realising it.

Grx HdV

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Jul 14, 2024 at 02:10:46PM -0400, Greg Wooledge wrote:

On Sun, Jul 14, 2024 at 19:57:45 +0200, [email protected] wrote:

[...]

Does that work in KDE?

At least The Internet (TM) (from some cursory poking) seems to
say so. I stay away from DEs for... reasons, so I can't test
it.

As we discovered a few years ago, it doesn't
work in GNOME. GNOME specifically starts up its terminal emulators
via dbus or something,

Gah. What a bad taste. One reason more to stay away from DEs.

so they aren't children of the GNOME top-level
process, and don't inherit the umask or environment from the session.

I'm totally willing to believe that KDE is different, but it's not
clear whether "Lists" has tried this and failed, or simply didn't know
that it should be done this way.

It would be excellent to receive confirmation from a KDE user, either
way.

I'd be curious, too.

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZpQcjAAKCRAFyCz1etHa RvxyAJwNy1nyJnWG5H413cgLnAqqCD/F+gCfTwkrFY1T4jk9RhYc8tY+HzluoJE=
=+LlC
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Jul 14, 2024 at 08:31:23PM +0200, Me wrote:

On 2024-07-14 19:57, [email protected] wrote:

[...]

[1] https://wiki.debian.org/Xsession

Did you actually try this? I did and it did not what I was expecting it to do. But maybe I should try again, maybe things have improved in the meanwhile.

Me? As I said, I don't use desktop environments. Just plain X and a
window manager (Fvwm). For me, .xsessionrc works beautifully. I had
to enable it in /etc/X11/Xsession.options (back then, maybe Jessie or
Stretch) and this has travelled across upgrades to now.

So no complaints from me :)

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZpQefwAKCRAFyCz1etHa RgehAJ94uDW+oQLwpRU29KNQgepUSLON4ACeOv8nuYrtJb/w0y2OA18KQMKBceI=
=L3P/
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-07-14 19:57, [email protected] wrote:

On Sun, Jul 14, 2024 at 07:44:35PM +0200, Lists wrote:

On 2024-07-14 19:18, Greg Wooledge wrote:

On Sun, Jul 14, 2024 at 19:09:54 +0200, Hans wrote:

I am wondering, why on a multiuser system like debian the rights for a normal
user are "rw- r-- r--", (owner: user and ownergroup: usergroup)

Tradition, and a culture based around sharing.

The Unix culture of openness and freedom (specifically the freedom to
distribute your work to others) works best if you can say "Hey Betty,
can you take a look at my .bashrc? I can't get my foo() function to
work." Or "Hey friends, I've made some changes to my bar.c file that
you might want to look at." And then they can just read the files
directly from your home directory.

If you don't like this setting, change it.

Setting umask in your shell profile isn't that hard indeed. I've doing that >> for years. However, that does not mean your DE will honour that setting. I >> have tried to do so for KDE (more specifically Krusader), but I ended up
nowhere. I haven't found a setting that will be honoured KDE wide or even
just in Krusader alone.

The place to do this is the X session [1]; system-wide in /etc/X11/Xsession.d/... and for each user in ~/.xsessionrc.
You might have to set allow-user-session in the global config /etc/X11/Xsession.options to make the second possible.

Cheers

[1] https://wiki.debian.org/Xsession

Did you actually try this? I did and it did not what I was expecting it
to do. But maybe I should try again, maybe things have improved in the meanwhile.

Grx HdV

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-07-14 19:38:26, Hans <[email protected]> spake thus:

Hi Greg,

yes, did already change it. However, this looks like a security hole for me, >as I believe, not many people or admins are changing this.

I suspect that most people /do/ change it, once they become aware of
it, for the very reason stated in the comment above 'UMASK' in the /etc/login.defs file:

<quote>
# UMASK is the default umask value for pam_umask and is used by
# useradd and newusers to set the mode of the new home directories.
# 022 is the "historical" value in Debian for UMASK
# 027, or even 077, could be considered better for privacy
# There is no One True Answer here : each sysadmin must make up his/her
# mind.
...
UMASK 022
</quote>

IMO debian should change this in the next release, but I doubt it.

I do not feel strongly about it, but I am sympathetic with the point
of view that having a default umask of, say, 077 would be a better
default for many unwary Day 1 *nix users. I think it is reasonable
for somebody to expect that that something is not accessible by
group or others unless the user explicitly made it so.

I have no idea how such a change might affect backward
compatibility. I'm guessing not much, since the umask value is one
of those things that tends to get set explicitly when it matters
(beyond the user's need to read or write their own files).

The user's umask value would matter less if the default perms of
user $HOME directories were 077, since then even files created with unintentionally looser perms could not be viewed by group or
others[0]. As it is, it looks[1] like default perms for $HOME are
0755.

I will ask the security team for it, they will decide.

Have fun!

Hans

-Al


[0] Assuming most files created by a user are created beneath that
user's $HOME.

[1] Just did an empirical test by spinning up a Debian 12.x
("Bookworm") AWS AMI, $HOME directories have perms 0755:

$ ls -la /home
total 12
drwxr-xr-x 3 root root 4096 Jul 14 22:32 .
drwxr-xr-x 18 root root 4096 Jul 14 22:32 ..
drwxr-xr-x 3 admin admin 4096 Jul 14 22:32 admin

--
a l a n d. s a l e w s k i
[email protected]
[email protected]
https://github.com/salewski

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, Jul 14, 2024 at 22:15:34 -0400, Alan D. Salewski wrote:

As it is, it
looks[1] like default perms for $HOME are 0755.

If home directories are created with adduser, then the contents of /etc/adduser.conf are relevant:


# The permissions mode for home directories of non-system users.
# Default: DIR_MODE=0700
#DIR_MODE=0700

# The permissions mode for home directories of system users.
# Default: SYS_DIR_MODE=0755
#SYS_DIR_MODE=0755


If they're created by something else, then it depends on what that other creation method is.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-07-14 22:15:34, "Alan D. Salewski" <[email protected]> spake thus:
[...]

The user's umask value would matter less if the default perms of
user $HOME directories were 077

s/were/were from a umask of/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Here is some cool ascii art to illustrate permissions
after mount.

The (x)_b notation indicates that x is in base b.

# permissions
# rwxr-xr-x dirs
local dmask=022 # (22)_8 = ( 10010)_2
local fmask=133 # (133)_8 = ( 1011011)_2
# rw-r--r-- files
#

--
underground experts united
https://dataswamp.org/~incal

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

The door is closed by default in bookworm. User home directories are
created with 0700 mode, see /usr/share/doc/adduser/README.gz and /usr/share/doc/adduser/NEWS.Debian.gz As a result, it is necessary to
set ACLs e.g. to run unprivileged LXC containers.

That is not the point. The point us, that debian is creating a default user "for your daily work" at installation with umask 022.

And we are not talking about experienced users, but of linux beginners. I doubt, they are aware of umask and rights and so.

Debian is made for every people, not only for experienced people.

Yes, when adduser cares about, this is one good step, but does not touch my argumentation. Also, when some other applicatiions are setting correct rights. Some do, some don't.

That is not the point, too. The point is, should't we do it completely and
make it standard by default - also and especially during installation to make debian more secure for unexprienced users and linux noobs?

Best

Hans

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Jul 15, 2024 at 09:04:54 +0200, Hans wrote:

Also, when some other applicatiions are setting correct rights.
Some do, some don't.

File bug reports against the ones which don't.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-07-15 14:30, Eduardo M KALINOWSKI wrote:

I'm not sure if the Debian default should be changed, though.

One thing to consider is that in modern software development practices
the idea of secure/private by default is getting more and more important
and implemented. It is good practice to protect yourself and your users
against mistakes. I know things can be done to set a proper mask, but
why not opt for the same stance that firewalls have adopted long ago,
being "deny by default"? In some cases that might make a system harder
to use, but I don't see how that could be the case in a user's home
directory.

Just my 2 cents.

Grx HdV

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 14/07/2024 14:09, Hans wrote:

Dear list,

I am wondering, why on a multiuser system like debian the rights for a normal user are "rw- r-- r--", (owner: user and ownergroup: usergroup)

Of course there is a reason for this, but it is not understandable for me.

First two are clear: rw for myself, and readable for all users, i am allowing into my own grou.

The last one is not clear for me. Why should I allow the rest of the world read my personal documents? These are private and no one else should be able to read them!

So I would have expected a setting of "rw- r-- ---" for any files.

Before someone argues, "you can change this by editing umask", yes, I know of this of course.

But it is not clear for me, why it is set that way by default and not as I would have expected as described above.

Sure, there is a reason for this, so I will be happy, if someone could enlighten me.

I kind of agree with that in principle, and I've always used an umask
077 myself.

On the other hand, I'm the only user in my system, so it doesn't really
matter. I expect that is the case for most users.

I'm not sure if the Debian default should be changed, though.

--
Actually, my goal is to have a sandwich named after me.

Eduardo M KALINOWSKI
[email protected]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

If people on this mailing list are so concerned about other people's
umasks, then I would suggest a great starting point would be to start by
making it POSSIBLE for other people to set their umasks the way they want.

If you use a Desktop Environment, go to your DE's support mailing list,
and ask them how to set your umask so that it works as expected in all
of your programs. This must include programs that are launched at login,
and programs that are launched by a menu or icon, and terminal emulators
(and not merely the shells that run inside terminal emulators).

Make sure whatever solution they give you applies regardless of whether
a program is launched as a child of a window manager, or a child of
a systemd user session, or a child of dbus.

If they can't give you a solution that works in all of these cases,
**make them fix their stupid software**. Do not let up until they have
given their users a way to configure their environments as needed.

Once all of the Desktop Environments provide a way to do what you want, **then** you might think about leaning on Debian to change their defaults.
That will be a separate battle, but it's not a battle you can currently
even **begin** fighting.

Also bear in mind, this is the Debian **user** mailing list, and none of
us have any power whatsoever over the Debian project. Let alone over
the various Desktop Environments.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Jul 16, 2024 at 08:02:45 +0700, Max Nikulin wrote:

(I am not convinced that default umask should be changed)

Neither am I. But more to the point, it appears that the default umask literally *cannot* be changed in any kind of universal way. There are,
like, half a dozen different places you'd have to apply a change in
order to cover just the *most common* workflows. Who knows how many
more corner cases would be missed?

On Tue, Jul 16, 2024 at 07:53:31 +0700, Max Nikulin wrote:

First of all, it is up to display manager to read or to ignore ~/.profile
and ~/.xsessionrc. SDDM reads them. However it affects only /usr/bin/startplasma-x11 subtree. Most user applications are started under "/lib/systemd/systemd --user"

So, this is a variant of the same problem we observed with GNOME a few
years ago, just with systemd --user instead of dbus. Desktop Environments
are not the parent processes of the programs that they run. This means
there's no way for end users to configure the environments of their
own programs.

https://wiki.archlinux.org/title/umask#Set_umask_value_for_KDE_/_Plasma

This one gives two alternatives, both of which require editing files as
root.

systemd.exec(5)

UMask=
Controls the file mode creation mask. Takes an access mode in octal notation. See umask(2) for details. Defaults to 0022 for system units.
For user units the default value is inherited from the per-user service manager (whose default is in turn inherited from the system service manager, and thus typically also is 0022 — unless overridden by a PAM module). In order to change the per-user mask for all user services, consider setting the UMask= setting of the user's [email protected] system service instance. The per-user umask may also be set via the umask field
of a user's JSON User Record[5] (for users managed by systemd-homed.service(8) this field may be controlled via homectl --umask=). It may also be set via a PAM module, such as pam_umask(8).

[5] refers to <https://systemd.io/USER_RECORD>.

I defy any human being to read that web page and tell me WHAT FILE TO
EDIT, and WHAT TO PUT IN IT, to effect a change to your environment.

I can't find anything concrete in there. Just a bunch of jabber.

The only filename I could find by skimming that thing was ~/.identity,
and that's buried *deep* inside the page. Is that the file you're
supposed to create and/or edit? What do you put in it to make your
programs have a umask of your choosing? Is there an example?

https://github.com/systemd/systemd/issues/16963#issuecomment-689656886 poettering commented Sep 9, 2020

The [email protected] templated system service is instantiated for each
user. It's a system service like any other, hence you can extend it via drop-ins, and thus configure UMask= for it, like for any other system service. e.g.

mkdir -p /etc/systemd/system/[email protected]e.d
cat > /etc/systemd/system/[email protected]e.d/umask.conf<<EOF
[Service]
UMask=0007
EOF
systemctl daemon-reload

So, this way requires root privileges as well.

How does an ordinary user modify *THEIR OWN ENVIRONMENT* without superuser access?

If you don't use a Desktop Environment, then this is ridiculously simple.
You put the commands to alter your environment in your ~/.profile or
equivalent for your shell, for your shell logins. You put the commands
in ~/.xsessionrc (on Debian), for your X sessions, if you use a Display
Manager to login. (If you use startx, you don't even have to do that;
your X session will inherit the environment from your login shell.)

All of the programs you run, other than cron jobs, will inherit their environment either from your login shell, or from your X session. So
this works.

In a DE, this is just impossible to do.

Why are Desktop Environments so *stupidly broken*? Why don't their
developers seem to *care*?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Jul 16, 2024 at 09:58:20 +0700, Max Nikulin wrote:

I have naively tried

cat ~/.config/systemd/user/service.d/umask.conf
[Service]
UMask=0007

From xterm and konsole:

umask
0007

OK. Let's follow this path a bit.

I googled "how to create a systemd user service" and got <https://blog.victormendonca.com/2018/05/14/creating-a-simple-systemd-user-service/>.

Starting from there:

hobbit:~$ cd .config
hobbit:~/.config$ mkdir -p systemd/user
hobbit:~/.config$ vi systemd/user/xterm.service
hobbit:~/.config$ cat systemd/user/xterm.service
[Unit]
Description=Try to run an xterm

[Service]
Type=simple
StandardOutput=journal
ExecStart=/usr/bin/xterm

[Install]
WantedBy=default.target
hobbit:~/.config$ systemctl --user enable xterm.service
Created symlink /home/greg/.config/systemd/user/default.target.wants/xterm.service → /home/greg/.config/systemd/user/xterm.service.
hobbit:~/.config$ systemctl --user start xterm.service


This caused an xterm to popup. OK, so far so good. Apparently the
systemd --user process inherits my $DISPLAY, so it's able to launch an
xterm.

I closed the xterm, and then:

hobbit:~$ cd ~/.config/systemd
hobbit:~/.config/systemd$ ls
user/
hobbit:~/.config/systemd$ ls user
default.target.wants/ xterm.service
hobbit:~/.config/systemd$ cd user
hobbit:~/.config/systemd/user$ mkdir service.d
hobbit:~/.config/systemd/user$ vi service.d/umask.conf hobbit:~/.config/systemd/user$ cat service.d/umask.conf
[Service]
UMask=0007


Then:

hobbit:~$ systemctl --user start xterm.service


I ran umask within this xterm, and got 0022. Next:

hobbit:~$ systemctl --user daemon-reload
hobbit:~$ systemctl --user start xterm.service


This time, umask gave me 0007.

So it looks like your technique works, allowing an end user to create a
systemd --user configuration file which affects all(?) of their
systemd --user services, if they have any.

I also performed this experiment:

hobbit:~$ vi .config/systemd/user/service.d/env.conf
hobbit:~$ cat .config/systemd/user/service.d/env.conf
[Service]
Environment="FOO=%h/test123" "BAR=b a r"
hobbit:~$ systemctl --user daemon-reload
hobbit:~$ systemctl --user start xterm.service


The resulting xterm had umask 0007, and the expected values in the FOO
and BAR environment variables (with %h expanded to my home directory,
as documented in systemd.unit(5)).

I'm assuming the two files in service.d/ can be merged, but I didn't
test that.

So, this is a highly positive result. (And surprising. Why isn't this
stuff documented in ALL the places??) It looks like there's a chance
that some Desktop Environments can be configured by end users after all.

Now we just need for GNOME users to discover a way to configure the
programs that are started as children of dbus, and then we can move
forward. Documentation would be my top priority. If other people want
to try to drum up interest in environment configuration, then there'll
be documentation available for end users to follow.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Greg Wooledge (12024-07-15):

Neither am I. But more to the point, it appears that the default umask literally *cannot* be changed in any kind of universal way. There are,
like, half a dozen different places you'd have to apply a change in
order to cover just the *most common* workflows. Who knows how many
more corner cases would be missed?

This is very true. And alas, it is not limited to umask: environment
variables, limits, etc.

The solution I chose for myself is to put it in .zshenv, zsh being my
shell, and making sure all my other startup scripts are #!/bin/zsh. But
I am sure modern display managers manage to start modern desktop
environments that manage to run user applications without ever invoking
the login shell. Yay for modernity.

Anyway, this whole discussion is moot, because:

- Experienced users can find a solution for the specific system they
use.

- Even though the default umask is permissive, the permissions on ~ can
be restrictive, and for lusers it is functionally equivalent, and the
default permissions on ~ is asked by debconf.

Regards,

--
Nicolas George

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Jul 16, 2024 at 18:42:40 +0700, Max Nikulin wrote:

On 16/07/2024 10:39, Greg Wooledge wrote:

hobbit:~/.config$ cat systemd/user/xterm.service

I am a bit afraid that corner cases might exist because there are no
.service files for applications started from menus and runners

Well, I don't have "menus and runners". I had to create *something*
I could use for testing, and that's what I came up with.

Now we just need for GNOME users to discover a way to configure the programs that are started as children of dbus, and then we can move forward.

I do not have a recent live image on my disk to verify, but I expect that nowadays Gnome uses systemd session as well. Desktop environments that have not migrated to systemd likely still relies on Xsession.

There are very few GNOME users on this mailing list. We do not reflect
the typical Debian population very well at all. Most of us are older,
more traditional users, who favor plain window managers (fvwm and company)
or lighter Desktop Environments.

This makes it hard to support certain parts of Debian, and GNOME is
definitely on that "hard to support" list.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Jul 15, 2024 at 23:39:54 -0400, Greg Wooledge wrote:

Now we just need for GNOME users to discover a way to configure the
programs that are started as children of dbus, and then we can move
forward. Documentation would be my top priority. If other people want
to try to drum up interest in environment configuration, then there'll
be documentation available for end users to follow.

I've added a bit of content to <https://wiki.debian.org/EnvironmentVariables>.

I didn't mention dbus at all. If anyone knows about dbus configuration,
please feel free to add it, or to post something here on debian-user.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Jul 16, 2024 at 22:21:23 +0700, Max Nikulin wrote:

Greg, do you have an example when Environment= in service.d works, but an environment.d file does not?

Oh gods, there's MORE shit to worry about?? Of course there is.
Bloody hell.

In previous years, I remember exploring environment.d and discarding it, because it never achieved the goals that I had in mind. At that time, I
was trying to find a shell-agnostic and login-style-agnostic way to set environment variables for all login sessions (console, ssh, DM).

environment.d is not that.

But in this particular investigation, we're "only" trying to find a
way to configure the user environment for programs started by Desktop Environments. So, back to the laboratory....

Given the existence of the following files:

-rw-r--r-- 1 greg greg 66 Jul 16 11:43 .config/environment.d/foo.conf -rw-r--r-- 1 greg greg 51 Jul 15 23:24 .config/systemd/user/service.d/env.conf -rw-r--r-- 1 greg greg 21 Jul 15 23:39 .config/systemd/user/service.d/umask.conf

And given that "systemctl --user daemon-reload" has been performed since
they were last edited, what I'm seeing is that the contents of the environment.d file are applied *first*, and then the contents of the
service.d files are applied *second*, overriding whatever was in the environment.d file.

Also, and this is *highly* noteworthy, the syntaxes are different.
In particular, expansions like %h are performed in the service.d files,
but *not* in the environment.d files.

On the other hand, environment.d(5) says you can use a limited subset of
shell expansion syntax. It might be worth investigating exactly what
variables are available for expansion at that time, but at first glance,
it looks like service.d with its %h is probably going to be more useful.

For anyone reading this in the archives, out of context, please note that
the contents of these files *do not* apply to user logins. They only
apply to programs started by the systemd --user daemon.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Jul 16, 2024 at 11:52:29AM -0400, Greg Wooledge wrote:

On Tue, Jul 16, 2024 at 22:21:23 +0700, Max Nikulin wrote:

Greg, do you have an example when Environment= in service.d works, but an environment.d file does not?

Oh gods, there's MORE shit to worry about?? Of course there is.
Bloody hell.

[...]

For anyone reading this in the archives, out of context, please note that
the contents of these files *do not* apply to user logins. They only
apply to programs started by the systemd --user daemon.

Thanks for the interested read.

It reminds me of the horror stories we told each other when 14 or so, at
the campfire.

Somehow I'm glad I stayed away from DEs and systemd up to now. Perhaps I
just retire before the alternatives aren't viable anymore. Or perhaps, as
with PulseAudio, I can leapfrog that "tech".

(The most probable outcome though is even less rosy: everything'll run in
the browser, and Secure Boot will make sure that your hardware refuses to
run anything else, because the chips are sponsored by the Ad Industry.

Oh, well).

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZpaxhwAKCRAFyCz1etHa RnyZAJ98J9bfcycRuhlvaqHlsdRfhIo8ZwCdHuV769dd7NOSiya75BpERpbbDQ0=
=qVX/
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

[email protected] wrote:

Somehow I'm glad I stayed away from DEs and systemd up to now. Perhaps I
just retire before the alternatives aren't viable anymore. Or perhaps, as with PulseAudio, I can leapfrog that "tech".

Retirement is no solution.
What shall we retirees do when X11 is laid to rest ?
I am not aware of anything like fvwm running on Wayland.

(The most probable outcome though is even less rosy: everything'll run in
the browser,

Maybe we can run X11 and fvwm on a virtual outdated graphics board in a
browser window ?

and Secure Boot will make sure that your hardware refuses to
run anything else, because the chips are sponsored by the Ad Industry.

That would make not much difference to the end of fvwm.

"A life without pug is possible but pointless."
(Loriot: "Ein Leben ohne Mops ist moeglich, aber sinnlos.")


Have a nice day :)

Thomas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Darac Marjal <[email protected]> wrote:

I'm not saying that what you did was wrong, but systemd provides a
few shortcuts which can make things a bit more user-friendly.

On 16/07/2024 04:39, Greg Wooledge wrote:

OK. Let's follow this path a bit.
I googled "how to create a systemd user service" and got <https://blog.victormendonca.com/2018/05/14/creating-a-simple-systemd-user-service/>.

Starting from there:

hobbit:~$ cd .config
hobbit:~/.config$ mkdir -p systemd/user
hobbit:~/.config$ vi systemd/user/xterm.service
hobbit:~/.config$ cat systemd/user/xterm.service
[Unit]
Description=Try to run an xterm

[Service]
Type=simple
StandardOutput=journal
ExecStart=/usr/bin/xterm

[Install]
WantedBy=default.target

I think the systemd shortcut here is "systemctl --user edit
xterm.service". Now, "systemctl edit" usually edits an "override"
file (allowing you to override settings supplied by the OS, you can
edit the service file directly by adding the "--full" option. And, if
you are creating a new service you tend to have to add "--force". So,
the most reliable command for editing a user command would be
"systemctl --user edit --force --full xterm.service".

One advantage of using "systemctl edit" rather than simply "$EDITOR"
is that "systemctl edit" will perform a daemon-reload upon exiting
the editor. That is, "systemctl edit" makes systemd aware of the
changes.

hobbit:~/.config$ systemctl --user enable xterm.service
Created
symlink /home/greg/.config/systemd/user/default.target.wants/xterm.service → /home/greg/.config/systemd/user/xterm.service. hobbit:~/.config$ systemctl --user start xterm.service

You can combine "enable" and "start" into a single command by adding
"--now" to the enable command, thus: "systemctl --user enable --now xterm.service".

Increasingly systemd reminds me of SMIT (the system management part of
AIX). Designed to simplify complicated system management scripts by
using multiple short scripts, it just resulted in thousands and
thousands of system management scripts to manage :(

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------dXa1pfzz13uQS3BlcXh1X0p0
Content-Type: multipart/alternative;
boundary="------------hmJ4Hpt6nLk70r0HXHGAlXDn"

--------------hmJ4Hpt6nLk70r0HXHGAlXDn
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

DQo+IERlYmlhbiBpcyBhIG11bHRpLXVzZXIgb3BlcmF0aW5nIHN5c3RlbS4gRGVjaXNpb25z IHNob3VsZCBiZSBtYWRlIGFjY29yZGluZ2x5Lg0KPg0KPiBJIHN1cHBvc2UgdW1hc2sgaXMg YSBtb290IHBvaW50IG9uIHBob25lcyBhbmQgdGFibGV0cywgd2hlcmUNCj4gc2luZ2xlLXVz ZXIgaXMgb2Z0ZW4gdGhlIHVzZSBjYXNlLg0KT24gdGhlIGNvbnRyYXJ5LCBtb2Rlcm4gQW5k cm9pZCBpcyBzdHJvbmdseSBtdWx0aS11c2VyLiBFYWNoICJhcHAiIHRlbmRzIA0KdG8gYmUg YWxsb2NhdGVkIGl0cyBvd24gdXNlciBJRC4gVGhlIGxvZ2ljIGlzIGlzIHRvIHByb3ZpZGUg c3Ryb25nIA0KaXNvbGF0aW9uIGJldHdlZW4gYXBwcy4NCj4NCj4gSmVmZg0KPg0K --------------hmJ4Hpt6nLk70r0HXHGAlXDn
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<span style="white-space: pre-wrap">
</span>
<blockquote type="cite" cite="mid:CAH8yC8=[email protected]">
<pre class="moz-quote-pre" wrap="">Debian is a multi-user operating system. Decisions should be made accordingly.

I suppose umask is a moot point on phones and tablets, where
single-user is often the use case.</pre>
</blockquote>
On the contrary, modern Android is strongly multi-user. Each "app"
tends to be allocated its own user ID. The logic is is to provide
strong isolation between apps.<br>
<blockquote type="cite" cite="mid:CAH8yC8=[email protected]">
<pre class="moz-quote-pre" wrap="">

Jeff

</pre>
</blockquote>
</body>
</html>

--------------hmJ4Hpt6nLk70r0HXHGAlXDn--

--------------dXa1pfzz13uQS3BlcXh1X0p0--

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEE1A0c5XWknk+U2MemZUdBNabqRbUFAmaWx1MFAwAAAAAACgkQZUdBNabqRbVk KBAAr0+l2l1B3UHPVHAREIbob1s0KeVZV8qQQbPjvDDgsODLi1ZFuAf58ZMTfAETfyBBEilhii6K M0F3+hWQwDYzkPAKflvmAMcy0zNQsIdVBkL4AnKSArr/svv6bNw3/ri+GFwqqaQPExHoOd3+OznE RycZmlswS5Ltmk/D4VZb1D3zhbxb9JocKZEMcV4NskLJhphT/xu4D73S3ScJgc639u+0nPXUkicB HTBx/SzL5IUGiNkvgqHzmtZClCYqhTPPmP6aOAyVHEp0COnygBVPh3ukdXVfNETg2P+PhXoYC8iV 2iaFHTDukBl/x9Kuz0t1ukX8C9Lh/xvbd8c3CiXH9E8qD1s5yhCxGHj93MxF3OIA1fiVPuuW+apQ 37b3/yVwXDKogKNKevaDT1kS7DeHQP6xOM7lE5aj4aAHRS1SyIcLCUUlsGS1N2Ppe+wgK8ZY+/NQ X25DmzrgLRy/9rs0lVJsjThXp8HocXk0Vx/Z0YZ3SmF4gFE1x0XwOjaiSn3WJkqu+c5wZXuJg4bx KGzxxFexjwtBtMILoyWPvTlYyXxVUjs3zeYLGnlXH3hgEoN1smKY12Nwaa/prTOYuvi7JxbZ8ELO xUvXX/vSgkIFlRE6BoJ+7KNbmBaexv6R+goRgeCWaCdzAYHqxWy6tKN2yEC4t7gAxSpJ5DB/ZB02 rlk=
=0JlP
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Jul 16, 2024, Thomas Schmitt wrote:

Hi,

[email protected] wrote:

Somehow I'm glad I stayed away from DEs and systemd up to now. Perhaps I just retire before the alternatives aren't viable anymore. Or perhaps, as with PulseAudio, I can leapfrog that "tech".

Retirement is no solution.
What shall we retirees do when X11 is laid to rest ?
I am not aware of anything like fvwm running on Wayland.

Use tty1 with screen/tmux? :D

--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmaW//4ACgkQbWVw5Uzn KGCkEQ/+LBV/9EfTjsKAtksHGAZpMDpZdsCuwUNisKxsTW+I/S7SXlE8gwmsz75y 7vp9/x/hxNRUniN7Oa1G3bhDPXJuxk97YU08FrB5yI3oPKOrmoP0Kgv9hXuFAnem IJ1PxbJYUEmCi4O1DOZgkMr2pxaszQeSo1E5lXDtLCFdYRepMcNNP1Eo1Pdv9Ynh J/PItYdc1yZn+iLwtdooZ81/XwqGfCqnjCeO6hmqylbCAOCsZh1ux2ib4MJNoJvp 9Db7puJQzXzGd0FOFqjikqWKfxQNWrXgoPuhhdkNz8QroeLD5SMtcZEQY82+1+xf XyNeytHMamKiAya1lO4qGdgYLXz0/EtN0iSCqWIeJexXVuCzv9igieuvP0EnZL77 3ixzxn3TQbU+YJx9iw0jqb63c99o0GJagYqjny04TgoWwrNt0PZ0J3Vb3+9sMMwG 3LGnKoy5IFgjH1vgp+kryK1yTcBWtzBQ2Cne6qy0E3v/hq+ApF8ZAomfkbDhrdaT eU9konSpJSu/eoOoYOWho86Fx8GmJ0ekI2kNyiJMmHc8w94V9x+98lSwcpFjpmYS +P54xj2IFk5ooxPrJyXvH2X+ie+eJnNVecyQfpQ5PkVQRiRy9sdzV5mp0Qa29V9E 4xi93lDQ81yzsN1SPcK3oKvMmAWpfhJOv/ee5kNu4yrYbjvdnss=
=ObWX
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Us

On Mon, 15 Jul 2024, Jeffrey Walton wrote:

Debian is a multi-user operating system. Decisions should be made accordingly.

I suppose umask is a moot point on phones and tablets, where
single-user is often the use case.

umask 077 can come with its own problems when using shared directories.

years ago I used to use cvs pserver specifically to finesse this
problem. Now that (almost) everybody uses a remote git server it's less relevant there.

I'm not a sudo user but IIUC, root inherits the umask, which can then
cause problems when things can't read config files that should be world readable.

Rather than change umask, I'd suggest that the better change is to make
home directories 0700 by default. If that is the wrong choice then it
only has to be fixed once per user. Creating 'world/group' readable
files with too restrictive permissions never goes away.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Jul 17, 2024 at 22:10:28 +0700, Max Nikulin wrote:

Do you mean the following bug or something else? <https://bugs.debian.org/711104>
login: su - doesn't set umask
Fixed in version pam/1.5.3-1
Tue, 16 Jan 2024 00:19:23 +0000

Huh... given the age of the bug, I expected this was something already
done in bookworm, but it's not.

hobbit:/etc/pam.d$ grep -i umask *
hobbit:/etc/pam.d$ grep -i mask *
hobbit:/etc/pam.d$

Bookworm has PAM package version 1.5.2-6+deb12u1, not 1.5.3. Looks like
this change was only made this year, and therefore won't appear until
Debian 13.

This makes me wonder what's setting umask *now*. Is it still PAM, just
using a compile-time default instead of a value that's discoverable in
a conffile?

Also, this confused me:

hobbit:/etc/pam.d$ dpkg -S /etc/pam.d/common-session
dpkg-query: no path found matching pattern /etc/pam.d/common-session

Where does that file come from, then? The installer? Oh wait, there are postinst scripts....

hobbit:~$ grep common-session /var/lib/dpkg/info/*.postinst /var/lib/dpkg/info/libpam-runtime.postinst: for configfile in common-auth common-account common-session \
/var/lib/dpkg/info/libpam-runtime.postinst: "$DPKG_ROOT"/etc/pam.d/common-session.pam-old

So I guess that file comes from libpam-runtime, but it's not managed
like a regular conffile. I suppose there was some reason for this, even
if I can't guess it.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 17 Jul 2024, Max Nikulin wrote:

On 17/07/2024 15:37, Tim Woodall wrote:

umask 077 can come with its own problems when using shared directories.

<https://wiki.debian.org/UserPrivateGroups>

Taking into account old 022 vs. 002 discussions it might be 007.

I'm not a sudo user but IIUC, root inherits the umask, which can then
cause problems when things can't read config files that should be world
readable.

Do you mean the following bug or something else?

No, I'm talking about sudo, not su. I'm not a sudo user so I can't test
but my understanding is that root inherits the umask of the invoking
user (or it used to)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Jul 17, 2024 at 17:58:57 +0100, Tim Woodall wrote:

No, I'm talking about sudo, not su. I'm not a sudo user so I can't test
but my understanding is that root inherits the umask of the invoking
user (or it used to)

Looks like this is still true.

hobbit:~$ bash
hobbit:~$ umask 077
hobbit:~$ umask
0077
hobbit:~$ sudo -s
[sudo] password for greg:
root@hobbit:/home/greg# umask
0077
root@hobbit:/home/greg# exit
exit
hobbit:~$ sudo -i
root@hobbit:~# umask
0077
root@hobbit:~# exit
logout
hobbit:~$ sudo bash -c umask
0077
hobbit:~$ umask 022
hobbit:~$ sudo bash -c umask
0022

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Jul 17, 2024 at 20:51:40 +0200, Franco Martelli wrote:

If you plan to add your contribute to the wiki page (see above) in the section: "Desktop Environments and systemd user services" e.g.:

- ...
- systemctl --user daemon-reload
- /Restart your Desktop session/

Please consider also to specify the Desktop you use, because newbies don't know nothing about: "Some Desktop Environments launch programs via systemd user services." Which Desktop?

Well, that's the problem, isn't it? *We* don't know either, because
most of us don't use one!

I'm doing the best I can trying to document these systems that I don't
use personally. It would be *nice* if their developers would document
them, so we wouldn't have to reverse engineer how they work and come up
with our own workarounds. It's much, much harder when you can't even
reverse engineer one yourself, and instead have to rely on the reports
of other users.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Jul 18, 2024 at 09:07:48 +0700, Max Nikulin wrote:

Taking into account a number of bugs, perhaps it is not really bad that recipes how to change umask are not easily available. Documentation should
be extensive enough to describe possible pitfalls.

That's an odd stance, especially if you consider that changing your umask
used to be literally a one-line change. It still is, if you only use
the shell (locally or remotely). It still is, if you use a shell login
plus startx plus a traditional window manager.

Even with a Display Manager login and a traditional WM, there are still
just two places you need to change.

It only becomes *hard* when Desktop Environments are introduced into the picture.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Greg Wooledge wrote:
...

It only becomes *hard* when Desktop Environments are introduced into the picture.

so far, agreed, i poked at it a bit the other day to see
if MATE would work with the roughly (user-@1000,etc) systemd
unit approach but that didn't accomplish anything i could tell.

no more time this week for such journeys and
exploritations... but i'll continue reading along as i get
time as the topic is interesting and convoluted which are
the best sort of puzzles. :)


songbird

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Max Nikulin wrote:

On 19/07/2024 04:11, songbird wrote:

so far, agreed, i poked at it a bit the other day to see
if MATE would work with the roughly (user-@1000,etc) systemd
unit approach but that didn't accomplish anything i could tell.

It would be great if those, who tried it, reported more precise what
they did.

- Did you call "systemctl daemon-reload" for *system* instance after
adding a drop-in for [email protected]e?
- Did you do logout after in the case of *user* service.d override? It
is not enough to execute "systemd --user daemon-reload".
- Does MATE use scopes and services to run applications an components?
"ps xwf" and "systemd-cgls" trees may clarify where started applications appear.

neither of those show all the programs that i have
included on the panels, but there are cgroups and some
of the other programs listed.

the missing programs are indeed being started since i
use them all the time.


songbird

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Jul 19, 2024 at 23:04:25 +0700, Max Nikulin wrote:

On 16/07/2024 20:46, Greg Wooledge wrote:

On Mon, Jul 15, 2024 at 23:39:54 -0400, Greg Wooledge wrote:

Now we just need for GNOME users to discover a way to configure the programs that are started as children of dbus, and then we can move forward. Documentation would be my top priority. If other people want to try to drum up interest in environment configuration, then there'll
be documentation available for end users to follow.

I've added a bit of content to <https://wiki.debian.org/EnvironmentVariables>.

Isn't the following a more suitable article for umask? <https://wiki.debian.org/Permissions#Setting_default_umask>
I think, it is better to drop UMask note from EnvironmentVariables.

I've made some minor changes to both pages.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)