Circa 2001-Apr-20 15:41:05 -0500 dixit Drew Jones:
: Problem:
: Users of Redhat 7 may have their umask set insecurely while acting
: as root.
Red Hat has documented its "user-private group" scheme with 002 umask,
and its rationale, since at least 1995. Current documentation of that
for Red Hat Linux 7.1 is here:
http://www.redhat.com/support/manuals/RHL-7.1-Manual/ref-guide/s1-users-groups-private-groups.html
This advisory implies that this is something new with Red Hat Linux
7.x; on the contrary, this practice dates back to at least Red Hat
Linux 2.1 from November 1995.
: Severity:
: Medium/Low
:
: Description:
: The Redhat useradd script creates a group for the new user with the
: same name as the username by default. When the user logs in, any
: shell that uses /etc/profile will set the umask to 002 if the user's
: username and groupname match and their uid is greater than 14. If
: the user then issues su to become root without specifying the -l
: option the root account inherits the umask of 002. As root the user
: may then create files with somewhat insecure permissions. Redhat
: seemed to understand that system users should have a umask of 022,
: because /etc/profile will set the umask that way for users loging in
: with a uid less than 14, but they forgot about su.
:
: The offending lines in /etc/profile:
: ...
: if [ `id -gn` = `id -un` -a `id -u` -gt 14 ]; then
: umask 002
: else
: umask 022
: fi
: ...
I wouldn't call these "offending". They actually work, just not for
'su'. Perhaps "the partially effective lines in /etc/profile" or even
"The relevant lines in /etc/profile" would be a more accurate way of
saying it.
: The fix:
: Get rid of the if-statement in /etc/profile and replace it with
: 'umask 022' (no quotes).
That fix, while effective, will negate the user-private group scheme.
Any one of the following solutions will work for default configurations
of Red Hat Linux without negating the user-private group scheme:
(1) [All versions of Red Hat Linux up to and including 7.1]
In /root/.bashrc:
umask 0022
Since both bash-1.x and 2.x read and execute ~/.bashrc when a
shell is interactive, regardless of whether it's a login shell,
this will work for all cases where root's shell is /bin/bash (the
default system setting).
If root's shell is something other than /bin/bash, either change
root's shell back to the default setting of /bin/bash, or modify
the other shell's initialization files accordingly.
(2) [All versions of Red Hat Linux from Red Hat Linux 4.2 up to and
including 7.1; may apply to older versions as well]
In /etc/bashrc, duplicate the partially effective 'if' statement
from /etc/profile listed above.
By default in Red Hat Linux, ~/.bashrc files (both /root/.bashrc
and /etc/skel/.bashrc) read /etc/bashrc. This performs the same
umask setting for interactive-but-non-login shells that the one
in /etc/profile does for login shells.
If root's shell is something other than the default /bin/bash,
either change root's shell back to /bin/bash, or modify the other
shell's initialization files accordingly.
(3) [All versions of Red Hat Linux up to and including 7.1]
su
cd /bin
mv su su.bare
cat >su <<EOF
#!/bin/sh
umask 0022
exec /bin/su.bare "$@"
EOF
chmod 0755 su
(4) [All versions of Red Hat Linux up to and including 7.1]
Use sudo instead of su:
http://www.courtesan.com/courtesan/products/sudo/
sudo allows the default umask to be configured using the
'Default umask' directive in /etc/sudoers; for example:
Default umask = 0022
If unspecified, the default umask is whatever was configured when
sudo was built.
Cheers.
--
jim knoble | [EMAIL PROTECTED] | http://www.jmknoble.cx/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
PGP signature
