[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RC Security Flaw - mkdir & script create as 755, 644. SB &700, yes?

--- Andrew Beresford <beezly@beezly.org.uk> wrote:
> On Mon, 2002-02-25 at 22:22, tluxt2@yahoo.com wrote:
> > I think that is a bad default.  It provides a way that non root users have
> > access to some root information - by default.  Perhapsthatinformationshould
> > not be available to non root users.
> > 
> > So, by default, non root users shouldn't be given access to such things.So,
> > by default, those bits should be off.
> umask can do this. Any sysadmin running a multiuser system who doesn't
> know how to use umask has far worse problems than leaving files open to
> read.
> 755 seems like a fairly reasonable default to me. (is that what's it's
> set to? I haven't checked!)

I think your comment is probably very true for a professional sysadmin.

But, my concern is for the future of Debian.  If Debian continues to have
increasing relevance to the potential pool of FreeSW users, it will expand from
its present base of users (who are, in general, rather knowledgeable about
sysadmin type tasks) to users who are less knowledgeable.

This expansion to less knowledgeable users is a _good thing_.  It helps enable
FreeSW to fulfill its potential as a benefit to society.

So, let's consider a possible typical case: Someone with enough knowledge to
set up a Microsoft Windows computer to be used at his home by his family.  Now,
such person is, on average, not a professional sysadmin.  His education and
skills may have nothing to do with computers.  But, ultimately, for FreeSW &
Debian to fulfill their potentials, such a person ought to be able to set up a
Debian system for his family to use.

Now, he probably won't know about umask.  My point is: probably he shouldn't
need to (for the case of getting a Debian system to be a home multiuser
system).  Perhaps there are a lot of things that a professional sysadmin would
know that the general home sysadmin might not need to know (but could certainly
learn if he had the desire).

So, I think it wise that the packagers of the Debian system should keep in mind
such a person, and have as a goal that the Debian system could, ultimately, be
productively & easily used by such a person.

Now, I don't think that, with the upcomming release, Debian will be a perfect
fit with the user I have described.  (That may take another one or more
releases to achieve).  But, I think that should be kept as a goal, and steps,
such as I've suggested, should be taken _now_ in order to begin to transition
to that mode of a system.

As for this upcomming release, Woody, I think it might be good to try to have
the security related default settings be appropriate for someone who is an
average computer technician or hobbyist computer user.  He is not a
professional sysadmin, and does not have complete sysadmin knowledge, but has
more computer knowledge than the average head of household.  

And, obviously, yes, there are far more important things, from a security
perspective, than knowing about umask.  Those, too, should be carefully
considered by the Debian packagers.  What we have here is an opportunity to
start that consideration process.

Andrew, thanks for your thoughts.  :)

Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games

Reply to: