On Sat, May 15, 2010 at 12:53:30PM +0200, Christoph Anton Mitterer wrote: > On Fri, 2010-05-14 at 22:22 -0700, Russ Allbery wrote: > > These are really odd complaints to bring against Debian given that these > > are not Debian issues. Firefox, for example, works exactly the same way > > everywhere. What do you want Debian to do, write our own web browser? > > There are limits to what a distribution can do. > Again, these are just example where things could be secured.... > I do of course not want to Debian write it's own browser, but we already > patch some of them "quite heavily", don't we? > E.g. firefox to support all the plugin-packages stuff?
So your argument is, that it must be insecure because other things are insecure? > > For example, here, you don't appear to understand that we're talking about > > the user umask, which should not be affecting system services, > "should not"... well... I guess this isn't a proof, is it? You claimed that it would, so it is up to you to prove you're right, not the others to prove you're wrong. > We've had so many examples of things that happened although they should > not. > udisks should have probably not exported the dm-crypt keys to normal > users, but it did. > Many scripts (don't remember a concrete example now) should have > probably set a secure PATH, but they forgot to do so, and were > attackable. > sudo should have probably been secure, but it wasn't.... and if we would > have added normal users to sudoers (like Ubuntu does as far as I know), > "everything" would have been vulnerable. > The openssl issue should have probably just solved some valgrind errors > (wasn't that the idea of those patches?) but it lead probably to the > great disaster in cryptography in the last years... Again, a random list of problems that have no correlation whatsoever with UPG and umask. > > If regular users can add other people to groups on your system, you have > > way more serious security problems than user-private groups, and those > > security problems are not created by Debian. > Of course I talk about having this done by root. > It seems you do not have experience with systems with several thousands > of users, do you? > If I'm e.g. a root user at my university, or an empowered registration > authority for CERN,... I really cannot check whether what my users ask > is sane. > If user B says, please add user A to my group... I'll do it as long as > no system user/group is involved. So your argument against something that is secure by default is that you could make it insecure by doing a really brain-damaged thing? Of course having a umask of 022 doesn't really prevent you from doing stupid things, so I don't see how it would improve security in this specific instance. > Not to talk about the fact what happens, if at one day one wants to move > away from UPGs... Right, lets not talk about that, because it is completely irrelevant for the current discussion. > > And here, you appear to have completely misunderstood the purpose of > > user-private groups in exactly the way that I tried to explain earlier. > > If there is anyone in a user-private group other than the user > > corresponding to it, you have broken user-private groups and created a > > security hole on your system. > Yes I know... (the concept of them is really not so difficult to > understand, is it?) > > > But that's your misconfiguration, not > > something Debian did. > Honestly,... real world is different... see my example above in big > organisations, consider the fact that users have typically no idea what > they doing... That's why they don't have the rights to change their group. If root has so little idea of what he's doing that he adds other users to a UPG, then quite honestly he should consider the possibility that he has chosen the wrong line of work. > And even if you don't consider... > What we had now, was already kind of semi-UPGs wasn't it? > - Everybody had his private group, which others could be added to. No. You never add others to a UPG. So the following points are moot. > - But if others were added, they did not automatically have rwx-rights > on basically everything. > > With a default of 022: > The owner of the file has to manually decide to make a file writeable by > the members of his UPG, right? > Isn't that much secure as the other way round? > > With a default of 077: > It'd be even better, as the owner does not only have to deliberately > decide for write, but also for read rights. > > > > and every distribution picks something and leaves that to site policy, > > rightfully. 022 is the "standard" default choice, and I think it's more > > appropriate for a free software distribution, although I know that by > > itself is a moderately controversial statement. > IMHO, we generally should not do something, because any other distro is > doing it. No, but we can learn from others' experiences. Do you know of any specific security problems in distributions that have UPG + umask 002? > We should simply do the right. > So let me make clear, that I don't decline 002 because of "other > distributions have 022",... I decline it because I consider it to be > inherently insecure. I don't. I currently see no problem with umask 002 in combination with UPG. Your arguments boil down to two things: - it must be insecure because completely unrelated other things are - it can be made insecure by root doing a really stupid thing. harry -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100515125250.ga23...@sbs288.lan
