[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The story behind UPG and umask.

On Wed, May 26, 2010 at 08:40:26AM +0100, Stephen Gran wrote:
> This one time, at band camp, Steve Langasek said:
> > On Tue, May 25, 2010 at 11:30:49PM +0100, Stephen Gran wrote:
> > > This one time, at band camp, Michael Banck said:
> > 
> > > > Seems worthwhile to change adduser how you suggest to me, is there
> > > > a bug filed to this end?
> > 
> > > adduser has had bugs filed in the past asking for uid to be equal to
> > > gid by default, and I have so far rejected them as not worth the
> > > complexity for the aesthetic pleasure of having numbers match.  Is
> > > there some problem with username == primary group name?
> > 
> > pam_umask requires both username == primary group name and uid == gid
> > before it will assume UPG are in place when using its 'usergroups'
> > option, and I am not willing to diverge from upstream on this as this
> > would mean admins coming from other systems may get an unpleasant
> > surprise when they find that Debian gives a more relaxed umask than
> > they were expecting in some corner cases.
> > 
> > So either someone should convince Linux-PAM upstream to change the
> > behavior of pam_umask, or adduser should enforce the same rules as
> > other implementations, if pam_umask is to be involved here.  Beyond
> > that, I have no particular opinion on this question.
> That's the first useful argument I've heard for changing adduser's
> behavior.  Interoperability with other software is a useful goal, and
> when I was arguing it wasn't worth the complexity, either pam_umask
> didn't exist or I was unaware of it.

I don't agree with the upstream or Steve here.  The UID==GID mapping
breaks with just one call to addgroup which gets them out of sync.
UIDs and GIDs are just a convenient mapping from the actual names
to numbers; so long as they are constant and unique, the actual
numerical values are unimportant.  For UPG, comparing the names
of the user and group makes sense; comparing the UID/GID does not.

While interoperability is important, this UID==GID concept is not
something we have ever guaranteed and makes little sense from a
security POV--the name is the only part that matters.  It's akin
to arguing that the index offset into a table is more important
than the content at that index.  We also need to consider
interoperability with ourselves, and the current pam_umask is
broken on Debian systems where the numbers are not in sync.

I'd be interested to understand the upstream POV here--with current
Debian systems, assuming UID==GID without additionally checking
that the names match is horribly insecure.

  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.

Attachment: signature.asc
Description: Digital signature

Reply to: