On Sun, 2010-05-30 at 09:44 -0700, Mike Bird wrote: > What, I wonder, would be the consequences of setgid directories > overring umask, rather than a system wide umask change? > > We could leave umask set to 0022 but when creating files and > directories in setgid directories the 0020 bit of the umask > would itself be masked out. > > This would seem to localize the change to where it is needed, > thus reducing the possibility for accidental security holes. > > Setgid already does much wierdness. Adding this small extra > wierdness would not be inelegant. It would be a gross deviation from the well-understood behaviour of Unix systems. > This would seem to be a trival kernel patch, whether implemented > alone or together with a /sys control to enable/disable it. You would have to convince Linux upstream developers of that, as the Debian kernel team does not make such changes without upstream acceptance. I suggest you don't waste your time trying to do that. > Can anyone see any downside? Aside from a surprising change that will lead to security holes, no, none at all. Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse.
Description: This is a digitally signed message part