Re: UPG and the default umask

To: debian-devel@lists.debian.org
Subject: Re: UPG and the default umask
From: Roger Leigh <rleigh@codelibre.net>
Date: Thu, 20 May 2010 00:22:28 +0100
Message-id: <[🔎] 4BF472B4.5090606@codelibre.net>
In-reply-to: <[🔎] alpine.DEB.1.10.1005200006430.8356@kolmogorov.unex.es>
References: <[🔎] 4BE830C8.5050009@gmail.com> <[🔎] 20100510162317.GI2652@radis.liafa.jussieu.fr> <[🔎] 87fx1ykjrt.fsf@windlord.stanford.edu> <[🔎] hsn1gf$cst$1@dough.gmane.org> <[🔎] 4BEFFA02.8000202@gmail.com> <[🔎] 87pr0vg07c.fsf@windlord.stanford.edu> <[🔎] alpine.DEB.1.10.1005170103200.6247@kolmogorov.unex.es> <[🔎] 84d3wvj7e5.fsf@sauna.l.org> <[🔎] alpine.DEB.1.10.1005171419450.12903@kolmogorov.unex.es> <[🔎] 844oi6k7x6.fsf@sauna.l.org> <[🔎] alpine.DEB.1.10.1005191903510.17907@cantor.unex.es> <[🔎] 4BF437F2.2090802@codelibre.net> <[🔎] alpine.DEB.1.10.1005200006430.8356@kolmogorov.unex.es>

On 19/05/2010 23:22, Santiago Vila wrote:

On Wed, 19 May 2010, Roger Leigh wrote:

On 19/05/10 18:25, Santiago Vila wrote:

For the record: I've changed the umask setting in /etc/profile to this:

if [ "`id -u`" -ge 1000 ]; then


Should we also be catering for the reserved globally allocated UIDs in the
range 60000-64999 with this check (Policy §9.2.2)?


Hmm, good question. Can you give me an example of an uid which has
been allocated that way?

I'm not aware of any, TBH. It's just a case where future use mightcause potential vulnerabilities if not catered for as for UIDs <1000since you'd be using 0002 where 0022 would be expected.

Perhaps I should follow policy more closely, yes, but that would mean
using the range 1000-29999 only, not 1000-59999, as 30000-59999 is
"reserved" (whatever that means).

If an admin which runs out of UIDs in his system modifies
/etc/adduser.conf, will he remember to modify the upper bound in
/etc/profile as well?

Maybe the above check should source /etc/adduser.conf and use the valuesLAST_SYSTEM_UID and LAST_UID (or default to 0022 and then enable and0002 umask if in the range FIRST_UID to LAST_UID which is a bit simpler):


UMASK=0022
# In a UPG setup, relax umask to 0002.
if [ "$(id -u)" -ge "$FIRST_UID" -a "$(id -u)" -le "$LAST_UID" ]; then
  UMASK=0002
fi
umask "$UMASK"


Regards,
Roger

Reply to:

Follow-Ups:
- Re: UPG and the default umask
  - From: Santiago Vila <sanvila@unex.es>

References:
- UPG and the default umask
  - From: Aaron Toponce <aaron.toponce@gmail.com>
- Re: UPG and the default umask
  - From: Julien Cristau <jcristau@debian.org>
- Re: UPG and the default umask
  - From: Russ Allbery <rra@debian.org>
- Re: UPG and the default umask
  - From: Willi Mann <foss-ml@wm1.at>
- Re: UPG and the default umask
  - From: Aaron Toponce <aaron.toponce@gmail.com>
- Re: UPG and the default umask
  - From: Russ Allbery <rra@debian.org>
- Re: UPG and the default umask
  - From: Santiago Vila <sanvila@unex.es>
- Re: UPG and the default umask
  - From: Timo Juhani Lindfors <timo.lindfors@iki.fi>
- Re: UPG and the default umask
  - From: Santiago Vila <sanvila@unex.es>
- Re: UPG and the default umask
  - From: Timo Juhani Lindfors <timo.lindfors@iki.fi>
- Re: UPG and the default umask
  - From: Santiago Vila <sanvila@unex.es>
- Re: UPG and the default umask
  - From: Roger Leigh <rleigh@codelibre.net>
- Re: UPG and the default umask
  - From: Santiago Vila <sanvila@unex.es>

Prev by Date: Re: How to set ulimit (nofile) for a daemon
Next by Date: Re: UPG and the default umask
Previous by thread: Re: UPG and the default umask
Next by thread: Re: UPG and the default umask
Index(es):
- Date
- Thread