enable usergroups and add pam_umask in common-session(-noninteractive)
This merge-request contains a set of changes to enable the usergroups option of pam_umask by default
as well as adding pam_umask.so as an optional session module.
There's also a commit that adds a new option nousergroups to the pam_umask module (and documents it) to allow users who don't want to use usergroups to disable it, but if you want to skip that one I don't mind at all as I'm personally just interested in a sane default.
These changes together will make sure that umask is reset when switching to a different user, eg. su - testuser will end up with umask 0002 no matter what your previous umask was. (And su - will end up with umask 0022 as root user is special cased, see usergroups in man pam_umask.)
Previous behaviour is that the umask would be inherited. eg. if umask currently reported 0777 doing su - the new session would end up with umask 0777.
The bug reports in the debian bug tracking system that this fixes are mentioned in each commit, but also listed below for convenience. Please use gbp dch --auto to update debian/changelog after merging.