FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 05-15-2010, 11:16 AM
Andrei Popescu
 
Default Bug#581729: Document the umask change for new installs

Package: release-notes
Severity: whishlist
Tags: squeeze
X-Debbugs-CC: debian-devel@lists.debian.org

On Sat,15.May.10, 08:41:29, Christian PERRIER wrote:

> More generally speaking, this umask change probably deserves to be
> mentioned in the Release Notes....along with a good rationale about
> why, no, this isn't Debian giving up to years of being security-wise.

Suggested text:

---
The default 'umask' for new installs is changed
===============================================

Starting with base-files version 5.4 the default umask for new installs
is 0002 instead of 0022 for regular users (system users, like the ones
used for various daemons and services are not affected).

The new umask is more useful on systems where normal users are by
default members of an own private group, which no other user belongs to.
Such a scheme is known as 'User Private Groups' (UPG) and has been the
default in Debian for several releases.

This change can however create security and/or privacy issues if the
system administrator is not aware of it and adds users to the private
group of another user. Also, in order to prevent security issues, some
software will detect this and refuse to operate when there are other
members in the user's private group and relevant files have permissions
as created with a umask of 0002.
---

Comments welcome.

Regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
 
Old 05-15-2010, 11:26 AM
Christoph Anton Mitterer
 
Default Bug#581729: Document the umask change for new installs

On Sat, 2010-05-15 at 14:16 +0300, Andrei Popescu wrote:
> for regular users
Would have to double check it,... but doesn't the current change also
affect root?


Cheers,
Chris.
 
Old 05-15-2010, 11:45 AM
Holger Levsen
 
Default Bug#581729: Document the umask change for new installs

Hi Andrei,

On Samstag, 15. Mai 2010, Andrei Popescu wrote:
> Suggested text:

Thanks for that!

I have one small addition...:

> This change can however create security and/or privacy issues if the
> system administrator is not aware of it and adds users to the private
> group of another user. Also, in order to prevent security issues, some
> software will detect this and refuse to operate when there are other
> members in the user's private group and relevant files have permissions
> as created with a umask of 0002.

This paragraph should be accompanied by something like:

Instead of adding users to other users private groups (which has issues as
explained above) it is recommend to create dedicated groups for these users
for collaboration.



As in: not only describe how not to do it, but also how to do it.

cheers,
Holger
 
Old 05-15-2010, 11:50 AM
Christoph Anton Mitterer
 
Default Bug#581729: Document the umask change for new installs

On Sat, 2010-05-15 at 13:45 +0200, Holger Levsen wrote:
> This paragraph should be accompanied by something like:
>
> Instead of adding users to other users private groups (which has issues as
> explained above) it is recommend to create dedicated groups for these users
> for collaboration.
Perhaps I'm completely stupid,... but why do we have UPGs then at all?
If we suggest users not to use them!
For those rare cases like "a user's wife/husband" which is fully
trusted?


Cheers,
Chris.
 
Old 05-15-2010, 12:01 PM
Robert Klotzner
 
Default Bug#581729: Document the umask change for new installs

On Saturday 15 May 2010 13:50:50 Christoph Anton Mitterer wrote:
> On Sat, 2010-05-15 at 13:45 +0200, Holger Levsen wrote:
> > This paragraph should be accompanied by something like:
> >
> > Instead of adding users to other users private groups (which has issues
> > as explained above) it is recommend to create dedicated groups for these
> > users for collaboration.
>
> Perhaps I'm completely stupid,... but why do we have UPGs then at all?
> If we suggest users not to use them!
> For those rare cases like "a user's wife/husband" which is fully
> trusted?
>
>
> Cheers,
> Chris.
>
The purpose is to make a default umask of 002 possible, without security
problems. This makes it easier to setup directories for collaboration with the
segid bit set, as the group for newly created files will have write
permissions, because of the umask being 002.

Best regards,

Robert
 
Old 05-15-2010, 12:45 PM
Julien Valroff
 
Default Bug#581729: Document the umask change for new installs

Le samedi 15 mai 2010 à 13:26:29 (+0200), Christoph Anton Mitterer a écrit :
> Date: Sat, 15 May 2010 13:26:29 +0200
> From: Christoph Anton Mitterer <calestyo@scientia.net>
> To: 581729@bugs.debian.org
> Cc: debian-devel@lists.debian.org
> Subject: Re: Bug#581729: [SQUEEZE] Document the umask change for new
> installs
>
> On Sat, 2010-05-15 at 14:16 +0300, Andrei Popescu wrote:
> > for regular users
> Would have to double check it,... but doesn't the current change also
> affect root?

It does:

root@gaia:~# umask
0002
root@gaia:~# cd
root@gaia:~# touch test
root@gaia:~# ls -l test
-rw-rw-r-- 1 root root 0 15 mai 14:43 test

Cheers,
Julien


--
Julien Valroff <julien@kirya.net>
http://www.kirya.net
GPG key: 4096R/290D20C5
092F 4CB5 5F19 E006 1CFD B489 D32B 8D66 290D 20C5
 
Old 05-15-2010, 12:59 PM
Andrei Popescu
 
Default Bug#581729: Document the umask change for new installs

On Sat,15.May.10, 13:26:29, Christoph Anton Mitterer wrote:
> On Sat, 2010-05-15 at 14:16 +0300, Andrei Popescu wrote:
> > for regular users
> Would have to double check it,... but doesn't the current change also
> affect root?

By default:

# grep umask .bashrc
umask 022
#

Regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
 
Old 05-15-2010, 01:12 PM
Julien Valroff
 
Default Bug#581729: Document the umask change for new installs

Le samedi 15 mai 2010 à 15:59:40 (+0300), Andrei Popescu a écrit :
> Date: Sat, 15 May 2010 15:59:40 +0300
> From: Andrei Popescu <andreimpopescu@gmail.com>
> To: debian-devel@lists.debian.org
> Cc: 581729@bugs.debian.org
> Subject: Re: Bug#581729: [SQUEEZE] Document the umask change for new
> installs
>
> On Sat,15.May.10, 13:26:29, Christoph Anton Mitterer wrote:
> > On Sat, 2010-05-15 at 14:16 +0300, Andrei Popescu wrote:
> > > for regular users
> > Would have to double check it,... but doesn't the current change also
> > affect root?
>
> By default:
>
> # grep umask .bashrc
> umask 022
> #

This entry is commented by default in /usr/share/base-files/dot.bashrc

This file is simply copied to /root/.bashrc in base-file postinst script.

Cheers,
Julien

--
Julien Valroff <julien@kirya.net>
http://www.kirya.net
GPG key: 4096R/290D20C5
092F 4CB5 5F19 E006 1CFD B489 D32B 8D66 290D 20C5
 
Old 05-15-2010, 01:32 PM
Aaron Toponce
 
Default Bug#581729: Document the umask change for new installs

On 05/15/2010 05:26 AM, Christoph Anton Mitterer wrote:
> On Sat, 2010-05-15 at 14:16 +0300, Andrei Popescu wrote:
>> for regular users
> Would have to double check it,... but doesn't the current change also
> affect root?

This does, but root is also in his own UPG. If you add any user to the
root group (same this as using wheel on other systems), you're
effectively giving that user full root access to the system anyway. So,
this change will not have any unsavory side effects for the root user or
group.

--
. O . O . O . . O O . . . O .
. . O . O O O . O . O O . . O
O O O . O . . O O O O . O O O
 
Old 05-15-2010, 01:34 PM
Christoph Anton Mitterer
 
Default Bug#581729: Document the umask change for new installs

On Sat, 2010-05-15 at 15:59 +0300, Andrei Popescu wrote:
> By default:
>
> # grep umask .bashrc
> umask 022
> #
Not in the most recent version of base-files, which does not update most
of it files.

Cheers,
Chris.
 

Thread Tools




All times are GMT. The time now is 09:52 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org