[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: UPG and the default umask

On 19/05/2010 23:22, Santiago Vila wrote:
On Wed, 19 May 2010, Roger Leigh wrote:

On 19/05/10 18:25, Santiago Vila wrote:
For the record: I've changed the umask setting in /etc/profile to this:

if [ "`id -u`" -ge 1000 ]; then

Should we also be catering for the reserved globally allocated UIDs in the
range 60000-64999 with this check (Policy §9.2.2)?

Hmm, good question. Can you give me an example of an uid which has
been allocated that way?

I'm not aware of any, TBH. It's just a case where future use might cause potential vulnerabilities if not catered for as for UIDs <1000 since you'd be using 0002 where 0022 would be expected.

Perhaps I should follow policy more closely, yes, but that would mean
using the range 1000-29999 only, not 1000-59999, as 30000-59999 is
"reserved" (whatever that means).

If an admin which runs out of UIDs in his system modifies
/etc/adduser.conf, will he remember to modify the upper bound in
/etc/profile as well?

Maybe the above check should source /etc/adduser.conf and use the values LAST_SYSTEM_UID and LAST_UID (or default to 0022 and then enable and 0002 umask if in the range FIRST_UID to LAST_UID which is a bit simpler):

# In a UPG setup, relax umask to 0002.
if [ "$(id -u)" -ge "$FIRST_UID" -a "$(id -u)" -le "$LAST_UID" ]; then
umask "$UMASK"


Reply to: