Document pam_umask change, Closes: #1065806

2 files changed, 15 insertions, 85 deletions

diff --git a/debian/NEWS b/debian/NEWS
deleted file mode 100644
index c6c4f7f0..00000000
--- a/debian/NEWS
+++ /dev/null
@@ -1,85 +0,0 @@
-pam (1.1.2-1) unstable; urgency=low
-
-  * Name of option for minimum Unix password length has changed
-
-    The Debian-specific 'min=n' option to pam_unix for specifying minimum
-    lengths for new passwords has been replaced by a new upstream option
-    called 'minlen=n'.  If you are using 'min=n' in
-    /etc/pam.d/common-password, this will be migrated to the new option name
-    for you on upgrade.  If you have configured pam_unix password changing
-    elsewhere on your system, such as in a PAM profile under
-    /usr/share/pam-configs or in other files in /etc/pam.d, you will need to
-    update them by hand for this change.
-
- -- Steve Langasek <vorlon@debian.org>  Tue, 31 Aug 2010 23:09:30 -0700
-
-pam (1.1.0-3) unstable; urgency=low
-
-  * pam_rhosts_auth module obsolete, symlink removed
-
-    The pam_rhosts_auth module was dropped upstream prior to the lenny
-    release and a compatibility symlink provided in the libpam-modules
-    package, pointing at the new (and not 100% compatible) pam_rhosts
-    module.  This symlink has now been dropped.  If you still have
-    references to pam_rhosts_auth in your /etc/pam.d/* config files, you
-    will need to fix these, since they no longer work.
-
-    For information on using pam_rhosts, see the pam_rhosts(8) manpage.
-
- -- Steve Langasek <vorlon@debian.org>  Wed, 02 Sep 2009 16:17:16 -0700
-
-pam (1.1.0-1) unstable; urgency=low
-
-  * pam_cracklib no longer checks for reuse of old passwords
-
-    The pam_cracklib module no longer checks /etc/security/opasswd to see
-    if the proposed password is one that was previously used.  This
-    functionality has been split out into a new module, pam_pwhistory.
-
-    The pam_unix module still does its own check of /etc/security/opasswd,
-    so if you are using this module you should not need to change anything.
-
-  * Change in handling of /etc/shadow fields
-
-    The Debian PAM package included a patch to treat a value of 0 in certain
-    fields in /etc/shadow as the same as an empty field.  This patch has
-    been dropped, since it caused the behavior of pam_unix to differ from
-    both that of PAM upstream and that of the shadow package.
-
-    The main consequences of this change are that:
-
-    - a "0" in the sp_expire field will be treated as a date of Jan 1, 1970
-      instead of a "never expires" value, so users with this set will be
-      unable to log in
-
-    - a "0" in the sp_inact field will indicate that the user should not be
-      allowed to change an expired password at all, instead of being allowed
-      to change an expired at any time after the expiry.
-
-    See Debian bug #308229 for more information about this change.
-
- -- Steve Langasek <vorlon@debian.org>  Tue, 25 Aug 2009 00:13:57 -0700
-
-pam (0.99.7.1-5) unstable; urgency=low
-
-  * Default Unix minimum password length has changed
-
-    Previous versions of pam_unix on Debian had a built-in minimum password
-    length of 1 character, and a minimum password length configured in
-    /etc/pam.d/common-password of 4 characters.  This differed from the
-    upstream default of 6 characters.  This has been changed, so the
-    default /etc/pam.d/common-password no longer overrides the compile-time
-    default and the compile-time default has been raised to 6 characters.
-    If you are using pam_unix but are not using the default
-    /etc/pam.d/common-password file, it is recommended that you drop any
-    min= options to pam_unix from your config unless you have stronger
-    local password requirements that the upstream default.
-
-    The password length 'max' option has also been deprecated in this
-    version because it was never written to work as suggested in the
-    documentation.  If you are using pam_unix but are not using the default
-    /etc/pam.d/common-password file, you should remove any old max= options
-    to pam_unix from your config as this option will be considered an error
-    in future versions of pam.
-
- -- Steve Langasek <vorlon@debian.org>  Sat, 01 Sep 2007 21:27:11 -0700
diff --git a/debian/libpam-modules.NEWS b/debian/libpam-modules.NEWS
new file mode 100644
index 00000000..01dcfe1c
--- /dev/null
+++ b/debian/libpam-modules.NEWS
@@ -0,0 +1,15 @@
+pam (1.5.3-7) unstable; urgency=medium
+
+    Starting with PAM version 1.5.3, Debian supports usergroups for default
+    umask of users logging in.  If the primary group name of a user
+    matches their primary user name (user pat's default group is also
+    called pat), then files will be group writable by default. To disable
+    this user a group name that differs from the user name or add
+    nousergroups to the pam_umask line in
+    /etc/pam.d/common-session:
+
+    session optional			pam_umask.so nousergroups
+
+
+ -- Sam Hartman <hartmans@debian.org>  Mon, 08 Apr 2024 16:15:58 -0600
+