[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Vulnerability in pcs or is it in more generic code?

On Mon, 2022-09-05 at 21:38 +0200, Ola Lundqvist wrote:

> I agree that it is good to fix the pcs package, but shouldn't we fix
> the default umask in general?
> I would argue that the default umask is insecure.

bookworm login sets new user home directories to secure permissions:

   $ grep -E 'HOME_MODE\s*[0-9]' /etc/login.defs 
   #HOME_MODE	0700

This somewhat mitigates, but not completely, the umask being insecure:

   $ grep -E 'UMASK\s*[0-9]' /etc/login.defs 
   UMASK		022

I can't find any bugs open about changing the default umask,
but it was mentioned in replies to the recent adduser thread:




Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: