[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

maintainer rejected completing the UPG checks (was: test if primary group, with only implicit membership of the user?)



My perception was that the consensus reached was that we wanted umask
relaxation to be safe.

Bug#583970: pam_umask "usergroups": test if primary group, with
only implicit membership of the user 

Closed on Sun, 6 Jun 2010 15:32:43 -0700:

> I don't think this is a check that it makes sense to add to
> pam_umask.  This isn't part of the *definition* of user-private
> groups, it's just a feature of the most common *implementation* of
> UPG. 

IMHO the same holds true for the username and
user-ID checks in place, they are not strictly required for an UPG
implementation. If the group can be considered to be a private group
(and be granted write permissions) is ultimately only determinable by
the user looking at and knowing/trusting the members of his primary
group. What distros do is, they add certain properties to UPGs to be
able to recognize the UPGs that are set up by their tools.

Completing the set of checks to match the set of properties of
distro's UPG implementation increases the security of the common
implementation of UPGs. It eliminats the cases of insecure umask
relaxation!

Because the set of checks is incomplete (does not cover the specific
properties added) I'd even consider it a security relevant bug, not
only a wishlist item.

Even if the check would not be enabled by default upstream, Debian could
(and according articulated security concerns, Debian probably should)
enable it, because Debian's UPG implementation supports those UPG
properties. (Well, at least the one that is checked with the above
test. The UID==GID alignment will be fixed.)

Cheers,
Christian


Reply to: