diff --git a/ChangeLog b/ChangeLog
index 3ea3b846..10299489 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,7 @@
 	* man/limits.5.xml: Remove space before an end of tag.
 	* man/useradd.8.xml, man/login.defs.d/CREATE_HOME.xml,
 	man/login.defs.5.xml: Document the CREATE_HOME variable.
+	* etc/login.defs: Improve the documentation of UMASK.
 
 2009-01-06  Sebastian Rick Rijkers  <srrijkers@gmail.com>
 
diff --git a/etc/login.defs b/etc/login.defs
index dbb96486..6dc46953 100644
--- a/etc/login.defs
+++ b/etc/login.defs
@@ -169,7 +169,6 @@ TTYPERM		0600
 #
 #	ERASECHAR	Terminal ERASE character ('\010' = backspace).
 #	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
-#	UMASK		Default "umask" value.
 #	ULIMIT		Default "ulimit" value.
 #
 # The ERASECHAR and KILLCHAR are used only on System V machines.
@@ -180,9 +179,16 @@ TTYPERM		0600
 #
 ERASECHAR	0177
 KILLCHAR	025
-UMASK		022
 #ULIMIT		2097152
 
+# Default initial "umask" value for non-PAM enabled systems.
+# UMASK is also used by useradd and newusers to set the mode of new home
+# directories.
+# 022 is the default value, but 027, or even 077, could be considered
+# better for privacy. There is no One True Answer here: each sysadmin
+# must make up her mind.
+UMASK		022
+
 #
 # Password aging controls:
 #