[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: UPG and the default umask

On Thu, 20 May 2010, Roger Leigh wrote:

> On 19/05/2010 23:22, Santiago Vila wrote:
> > On Wed, 19 May 2010, Roger Leigh wrote:
> > 
> > > On 19/05/10 18:25, Santiago Vila wrote:
> > > > For the record: I've changed the umask setting in /etc/profile to this:
> > > > 
> > > > if [ "`id -u`" -ge 1000 ]; then
> > > 
> > > Should we also be catering for the reserved globally allocated UIDs in the
> > > range 60000-64999 with this check (Policy §9.2.2)?
> > 
> > Hmm, good question. Can you give me an example of an uid which has
> > been allocated that way?
> 
> I'm not aware of any, TBH.  It's just a case where future use might cause
> potential vulnerabilities if not catered for as for UIDs <1000 since you'd be
> using 0002 where 0022 would be expected.
> 
> > Perhaps I should follow policy more closely, yes, but that would mean
> > using the range 1000-29999 only, not 1000-59999, as 30000-59999 is
> > "reserved" (whatever that means).
> > 
> > If an admin which runs out of UIDs in his system modifies
> > /etc/adduser.conf, will he remember to modify the upper bound in
> > /etc/profile as well?
> 
> Maybe the above check should source /etc/adduser.conf and use the values
> LAST_SYSTEM_UID and LAST_UID (or default to 0022 and then enable and 0002
> umask if in the range FIRST_UID to LAST_UID which is a bit simpler):
> 
> UMASK=0022
> # In a UPG setup, relax umask to 0002.
> if [ "$(id -u)" -ge "$FIRST_UID" -a "$(id -u)" -le "$LAST_UID" ]; then
>   UMASK=0002
> fi
> umask "$UMASK"

That would be much nicer, yes, but adduser is priority important and
base-files is required and essential, so that would not work if
adduser is removed, unless we make the code more complex again,
which I'm trying to avoid.

When adduser goes out of UIDs, this is what happens:

Adding user `somebody' ...
adduser: No UID/GID pair is available in the range 1000-1000 (FIRST_UID - LAST_UID).
adduser: The user `somebody' was not created.

So I agree that the sane thing to do here is, at least, to use the
same default range as /etc/adduser.conf (which in turn is the range
defined by policy).

I've just modified base-files accordingly to use the UID range 1000-29999.

Thanks a lot for the input.
Reply to: