Re: UPG and the default umask
On 19/05/2010 23:22, Santiago Vila wrote:
On Wed, 19 May 2010, Roger Leigh wrote:
On 19/05/10 18:25, Santiago Vila wrote:
For the record: I've changed the umask setting in /etc/profile to this:
if [ "`id -u`" -ge 1000 ]; then
Should we also be catering for the reserved globally allocated UIDs in the
range 60000-64999 with this check (Policy §9.2.2)?
Hmm, good question. Can you give me an example of an uid which has
been allocated that way?
I'm not aware of any, TBH. It's just a case where future use might
cause potential vulnerabilities if not catered for as for UIDs <1000
since you'd be using 0002 where 0022 would be expected.
Perhaps I should follow policy more closely, yes, but that would mean
using the range 1000-29999 only, not 1000-59999, as 30000-59999 is
"reserved" (whatever that means).
If an admin which runs out of UIDs in his system modifies
/etc/adduser.conf, will he remember to modify the upper bound in
/etc/profile as well?
Maybe the above check should source /etc/adduser.conf and use the values
LAST_SYSTEM_UID and LAST_UID (or default to 0022 and then enable and
0002 umask if in the range FIRST_UID to LAST_UID which is a bit simpler):
# In a UPG setup, relax umask to 0002.
if [ "$(id -u)" -ge "$FIRST_UID" -a "$(id -u)" -le "$LAST_UID" ]; then