Re: UPG and the default umask

To: debian-devel@lists.debian.org
Subject: Re: UPG and the default umask
From: Klaus Ethgen <Klaus@Ethgen.de>
Date: Mon, 10 May 2010 20:07:47 +0100
Message-id: <[🔎] 20100510190747.GC19222@ikki.ethgen.de>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 4BE830C8.5050009@gmail.com>
References: <[🔎] 4BE830C8.5050009@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Am Mo den 10. Mai 2010 um 17:14 schrieb Aaron Toponce:
> $ umask 0002
> $ touch anotherfile
> $ ls -l anotherfile
> -rw-rw-r-- 1 foo foo 0 May 10 10:06 anotherfile
> 
> As it sits, having the default umask set as '0022' isn't breaking
> anything, but it's no longer needed. It's just historical baggage coming
> from the 'users' group on older UNIX systems, where any new user added
> to the system was added to the 'users' group by default. Thus, removing
> the write bit made sense. It doesn't make any sense with UPG.

I still makes sense. The user will not win with the lazier umask but he
will probably loose security.

See the case the user wants another person in his own group to share
files. Then he might set the files readable for his group only but not
for world. So the other user can read this data. But he cannot write it
as it might be intended.

Setting the umask to 002 let the other user _edit_ all files the user
did create in the past with that umask factual giving away most of his
files.

The better Idea would be to set the user mask to 027 which then add a
new value of security.

If a user want the group to have write permissions this should be set
explicit. By the way, with zsh you can make directory profiles which
set the umask depending on the directory.

> For comparison's sake, Fedora (and as a result, RHEL/CentOS/etc) have
> implemented '0002' as their default umask, as they implement UPG.

Yes. And that is one big security issue!

> I guess I'm more or less curious why we're still using this outdated
> umask value with UPG. What would it take for Debian to update our
> default umask to match the UPG scheme? Is this doable for Sqeeze? Are
> there reasons for not making the switch?

Hopefully not!

Regards
   Klaus
- -- 
Klaus Ethgen                            http://www.ethgen.de/
pub  2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE  EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEVAwUBS+hZg5+OKpjRpO3lAQrqxQf/Y0tHKXEiHnQePMxs/DItSecDn/aw+gsN
qcTsKw4qU6Wk95KsV5LLsRTT7uFN9/RtOtz+KUa0YaWIyLVKGMxjRbQYFceaG490
gY5QlK1AVrqHDdFipLUK12mgb63s9VDMxFqXFHpUPa5GFbMQ6RGcrN3KbxIVNeG7
khcHhOqOiATC7E0GN4jg+eSGqmD/szSlLqKBaJJVfbPbG2T91NvZqxG+cXLwuhpW
cYQqpxVA9jYLFhEBq4Fe5JhEFOUfcV+zxT8BJ0TVVsvuzvN7M5PJV7Pb9XaBXeCz
HsHU+7+Yojt2r03KeFwacjg65xZvVqQPEFNWBnnJCcd9qMdsI3iIuw==
=qeHa
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: UPG and the default umask
  - From: Aaron Toponce <aaron.toponce@gmail.com>

References:
- UPG and the default umask
  - From: Aaron Toponce <aaron.toponce@gmail.com>

Prev by Date: Re: perl: 64-bit integers and long doubles
Next by Date: Re: Bug#576817: ITP: drupal6-l10n-ru -- Russian translation for Drupal 6
Previous by thread: Re: UPG and the default umask
Next by thread: Re: UPG and the default umask
Index(es):
- Date
- Thread