[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: umask for init



On Mon, Jul 23, 2001 at 04:53:55PM -0400, Dan Christensen wrote:
> I read that certain kernel versions don't set the umask for init
> correctly (2.4.6 is one of them, I think).  Does anyone know if
> a Debian system is susceptible to this problem, and if so, which
> files may have been created world-writable?

kernels 2.4.3 - 2.4.6 set the umask to 000 so any thread/process
created by the kernel, including init started with umask 000 and
remained that way unless init changed it itself.

debian's init does NOT change the umask, and even though there is a
umask 022 in /etc/init.d/rcS that is not enough.

the result is most .pid files in /var/run/* will be created world
writable with 0666 permissions as well as any other file created in
the boot process, including:

(if it did not exist at boot time) /lib/modules/`uname -r`/modules.dep
this is a gaping root hole.

/etc/modules.conf (if you have alsa-* packages installed which run
update-modules in the initscript).  this is another gaping root hole.

there are likely more, it depends on what packages you have installed
with initscripts, since most of them don't alter thier umask either in
the initscript or via the program itself any file created by it will
be world writable, depending on what the file is it can be a severe
security hole.

solution: switch back to 2.2 kernels or upgrade to 2.4.7 which finally
fixes this and sets the default umask back to 022.

after fixing your kernel it is highly advisable to check your system
for world writable files and make sure any that are found are supposed
to be that way:

find / -perm +0002 ! -type l ! -type c -ls

the ! -type l ! -type c ignores symlinks (which are always mode 0777)
and character device files (all unused ptys are supposed to be 0666 so
including this in your find will clutter the output to the point of
unusability) 

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpzludjgGvZK.pgp
Description: PGP signature


Reply to: