FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 05-13-2010, 09:48 AM
Santiago Vila
 
Default UPG and the default umask

On Thu, 13 May 2010, Charles Plessy wrote:

> found 248140 5.3
> thanks
>
> Dear Santiago,
>
> You probably have seen the discussion about user private groups on
> debian-devel this week:
> http://lists.debian.org/msgid-search/4BE830C8.5050009@gmail.com The
> core argument is that since user private groups are not meant to be
> shared, and that therefore an umask of 002 is not creating security
> risk. On the other hand, an umask of 022 is preventing from
> harvesting the benefits of user private groups. See in particular
> the summarry from Russ Allbery:
> http://lists.debian.org/87fx1ykjrt.fsf@windlord.stanford.edu
>
> I read this bug report (http://bugs.debian.org/248140) and indeed,
> if users have been used that Debian has an umask of 022, perhaps the
> change could be surprising. However, it would not affect existing
> systems. I can propose a patch to the release notes if pepole think
> it would be useful.

Yes, I think this change is important enough to be documented in
release notes. You might want to mention the possible gotchas, like,
for example, performing "scp -p" from a system with umask 002 to a
system without UPG when there are already files with mode 664 floating
around.

> If no stronger objections against a change from 022 to 002 is
> raised, would you agree changing base-files so that /etc/profile
> uses 002 on new systems?

No objection.

In fact, the status of /etc/profile as a "configuration file which is
not a conffile but instead it's created only on new installs" allows us
to change the default to whatever thing we consider more sensible
without worrying too much about the principle of least surprise, as the
change is only in effect on new installs.

Will be done in base-files 5.4.

Thanks.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: alpine.DEB.1.10.1005131127490.23711@kolmogorov.une x.es">http://lists.debian.org/alpine.DEB.1.10.1005131127490.23711@kolmogorov.une x.es
 
Old 05-13-2010, 10:46 AM
Philipp Kern
 
Default UPG and the default umask

On 2010-05-13, Lucas Nussbaum <lucas@lucas-nussbaum.net> wrote:
> On 13/05/10 at 09:34 +0000, Philipp Kern wrote:
>> On 2010-05-13, Charles Plessy <plessy@debian.org> wrote:
>> > If no stronger objections against a change from 022 to 002 is raised, would you
>> > agree changing base-files so that /etc/profile uses 002 on new systems?
>> Doesn't that lead to "great fun" if you activate NIS or similar means
>> to sync unix users and groups on such systems, if they aren't set up to
>> use UPG too?
> How would that result in a problem?

User files writeable by others by default because, as I said if they aren't
set up to use UPG, they might share a "users" group?

(Not so much a problem if you default home directories to 0700 though.)

Kind regards,
Philipp Kern



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: slrnhunm4q.2pp.trash@kelgar.0x539.de">http://lists.debian.org/slrnhunm4q.2pp.trash@kelgar.0x539.de
 
Old 05-13-2010, 01:14 PM
Aaron Toponce
 
Default UPG and the default umask

On 5/13/2010 3:34 AM, Philipp Kern wrote:
> On 2010-05-13, Charles Plessy <plessy@debian.org> wrote:
>> If no stronger objections against a change from 022 to 002 is raised, would you
>> agree changing base-files so that /etc/profile uses 002 on new systems?
>
> Doesn't that lead to "great fun" if you activate NIS or similar means
> to sync unix users and groups on such systems, if they aren't set up to
> use UPG too? So that would need a big fat warning in the release notes
> and somehow I fear bad PR. :P

Can you provide a documented use case for NIS or NIS+? Speculation is
one thing, implementing it is another.

I'm utilizing OpenLDAP with autofs to mount user home directories on
RHEL 5 systems when users login. Everything plays nice, just as you
would expect, permission-wise. They have their own UPG, and the default
umask is still 0002. Because most of these are developers developing in
/u01, it's trivial to setup the collaboration as previously mentioned.

I don't have experience with NIS or NIS+, however, so I would be
interested in learning any problems with either of these setups.

--
. O . O . O . . O O . . . O .
. . O . O O O . O . O O . . O
O O O . O . . O O O O . O O O
 
Old 05-13-2010, 01:47 PM
Russ Allbery
 
Default UPG and the default umask

Philipp Kern <trash@philkern.de> writes:
> On 2010-05-13, Lucas Nussbaum <lucas@lucas-nussbaum.net> wrote:
>> On 13/05/10 at 09:34 +0000, Philipp Kern wrote:

>>> Doesn't that lead to "great fun" if you activate NIS or similar means
>>> to sync unix users and groups on such systems, if they aren't set up
>>> to use UPG too?

>> How would that result in a problem?

> User files writeable by others by default because, as I said if they
> aren't set up to use UPG, they might share a "users" group?

I'm sure that I've gotten prompted by debconf somewhere, by something,
about whether I want to use UPG, although I can't remember what package
that is. But if we're already asking the question, we should be able to
make the umask value conditional on that same question. Then it's just a
matter of ensuring that the question is clear enough about when you would
not want to enable this.

--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 877hn7syky.fsf@windlord.stanford.edu">http://lists.debian.org/877hn7syky.fsf@windlord.stanford.edu
 
Old 05-13-2010, 01:50 PM
Russ Allbery
 
Default UPG and the default umask

Aaron Toponce <aaron.toponce@gmail.com> writes:
> On 5/13/2010 3:34 AM, Philipp Kern wrote:

>> Doesn't that lead to "great fun" if you activate NIS or similar means
>> to sync unix users and groups on such systems, if they aren't set up to
>> use UPG too? So that would need a big fat warning in the release notes
>> and somehow I fear bad PR. :P

> Can you provide a documented use case for NIS or NIS+? Speculation is
> one thing, implementing it is another.

Well, whenever you want to share the same set of users across a bunch of
systems, you use something like NIS. You're actually doing so yourself:

> I'm utilizing OpenLDAP with autofs to mount user home directories on
> RHEL 5 systems when users login.

This is equivalent. The key part is this:

> Everything plays nice, just as you would expect, permission-wise. They
> have their own UPG, and the default umask is still 0002.

You're creating UPGs in your LDAP environment. As long as you do that,
that's fine. Philipp's point, I believe, is that, first, institutional
LDAP environments probably aren't going to have UPG set up (Stanford's
doesn't, for example; we have a users group shared by all users), and
second, there's no way for the Debian package to tell whether the LDAP or
NIS environment is going to have UPG.

The root of the problem is that the decision to use UPG is done in one
place and the umask is set in a different place, and there's one
combination out of the four possible ones that's insecure by default.

I don't think this is insurmountable, but it definitely needs to be
documented.

--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 8739xvsyfj.fsf@windlord.stanford.edu">http://lists.debian.org/8739xvsyfj.fsf@windlord.stanford.edu
 
Old 05-13-2010, 05:45 PM
Aaron Toponce
 
Default UPG and the default umask

On 5/13/2010 3:48 AM, Santiago Vila wrote:
> Will be done in base-files 5.4.

I just saw the change committed. Thank you very much! This is good news.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581434#25

--
. O . O . O . . O O . . . O .
. . O . O O O . O . O O . . O
O O O . O . . O O O O . O O O
 
Old 05-13-2010, 10:57 PM
Klaus Ethgen
 
Default UPG and the default umask

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Am Do den 13. Mai 2010 um 18:45 schrieb Aaron Toponce:
> On 5/13/2010 3:48 AM, Santiago Vila wrote:
> > Will be done in base-files 5.4.
>
> I just saw the change committed. Thank you very much! This is good news.
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581434#25

A black day in the security of Debian. Well.. One more.

- -- Klaus
- --
Klaus Ethgen http://www.ethgen.de/
pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEVAwUBS+yD75+OKpjRpO3lAQrSbQf+Or9BgLCU6MIQoQgGMp m3P23STT4PnPcR
EodAccFEGFB+QntVIDczz6Tt2VFIlErkLoJ1YRrAYbEB8fdbvx 12ptZA8jY0RzB1
e52qfwMmUOoGrzut0p9teocE8zQ7rHev2KPvhqFmnYFJtm7CCH 47uY5w+w5XfNs0
BxwnjH7vBlxle1SOHRteWf8E7L81+CID+MhGUCozWHEWrMNhQy QU6cCMrP58MiUM
fHscSpN+5rQsr+6t6B6cLvgiZCApqGeuHKxpndA2gCUY6Oid+W W2i7UoMUfheJ3M
WMbS+rc0fi2xwosC29cO2vem7vv7tR5Ha9WH4ji4zNS1/6rxis10ew==
=WSAu
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100513225752.GD14534@ikki.ethgen.de">http://lists.debian.org/20100513225752.GD14534@ikki.ethgen.de
 
Old 05-14-2010, 05:59 AM
Petter Reinholdtsen
 
Default UPG and the default umask

[Santiago Vila]
> Will be done in base-files 5.4.

Great. This has been the default in Debian Edu for several years, and
changing the default to work properly with UPG will remove the need
for Debian Edu to edit the default umask. Btw, why is the umask set
at all in base-files? It would be better to use PAM to set it.

Happy hacking,
--
Petter Reinholdtsen


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 2flsk5vauqy.fsf@login2.uio.no">http://lists.debian.org/2flsk5vauqy.fsf@login2.uio.no
 
Old 05-14-2010, 07:46 AM
Vincent Danjean
 
Default UPG and the default umask

On 13/05/2010 19:45, Aaron Toponce wrote:
> On 5/13/2010 3:48 AM, Santiago Vila wrote:
>> Will be done in base-files 5.4.
>
> I just saw the change committed. Thank you very much! This is good news.
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581434#25

I'm happy with this move. However, there is still an interaction with ssh
to deal with:
vdanjean@eyak:~$ chmod -Rv g+w .ssh/authorized_keys
vdanjean@eyak:~$ ssh localhost
vdanjean@localhost's password:
And, in /var/log/auth.log:
May 14 09:42:17 eyak sshd[1618]: Authentication refused: bad ownership or modes for file /home/vdanjean/.ssh/authorized_keys

vdanjean@eyak:~$ chmod -Rv g-w .ssh/authorized_keys
le mode de « .ssh/authorized_keys » a été modifié en 0644 (rw-r--r--).
vdanjean@eyak:~$ ssh localhost
You have mail.
Last login: Tue May 11 17:10:30 2010
vdanjean@eyak:~$

My system is in UPG but I was using default umask 022

Regards
Vincent

--
Vincent Danjean GPG key ID 0x9D025E87 vdanjean@debian.org
GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87
Unofficial packages: http://moais.imag.fr/membres/vincent.danjean/deb.html
APT repo: deb http://perso.debian.org/~vdanjean/debian unstable main


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4BECFFD3.10300@free.fr">http://lists.debian.org/4BECFFD3.10300@free.fr
 
Old 05-14-2010, 05:21 PM
Joey Hess
 
Default UPG and the default umask

Vincent Danjean wrote:
> I'm happy with this move. However, there is still an interaction with ssh
> to deal with:

> vdanjean@eyak:~$ chmod -Rv g+w .ssh/authorized_keys
> vdanjean@eyak:~$ ssh localhost
> vdanjean@localhost's password:
> And, in /var/log/auth.log:
> May 14 09:42:17 eyak sshd[1618]: Authentication refused: bad ownership or modes for file /home/vdanjean/.ssh/authorized_keys

maildrop has the same problem with .mailfilter files.

--
see shy jo
 

Thread Tools




All times are GMT. The time now is 11:15 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org