Re: umask - default user settings?

Sun, 14 Jul 2024 19:10:38 -0700 

On 2024-07-14 19:38:26, Hans <hans.ullr...@loop.de> spake thus:

Hi Greg,
yes, did already change it. However, this looks like a security hole for me, as I believe, not many people or admins are changing this.
I suspect that most people /do/ change it, once they become aware of it, for the very reason stated in the comment above 'UMASK' in the /etc/login.defs file: 

<quote>
    # UMASK is the default umask value for pam_umask and is used by
    # useradd and newusers to set the mode of the new home directories.
    # 022 is the "historical" value in Debian for UMASK
    # 027, or even 077, could be considered better for privacy
    # There is no One True Answer here : each sysadmin must make up his/her
    # mind.
    ...
    UMASK       022
</quote>



IMO debian should change this in the next release, but I doubt it.
I do not feel strongly about it, but I am sympathetic with the point of view that having a default umask of, say, 077 would be a better default for many unwary Day 1 *nix users. I think it is reasonable for somebody to expect that that something is not accessible by group or others unless the user explicitly made it so.
I have no idea how such a change might affect backward compatibility. I'm guessing not much, since the umask value is one of those things that tends to get set explicitly when it matters (beyond the user's need to read or write their own files).
The user's umask value would matter less if the default perms of user $HOME directories were 077, since then even files created with unintentionally looser perms could not be viewed by group or others[0]. As it is, it looks[1] like default perms for $HOME are 0755. 



I will ask the security team for it, they will decide.

Have fun!

Hans


-Al


[0] Assuming most files created by a user are created beneath that
    user's $HOME.

[1] Just did an empirical test by spinning up a Debian 12.x
    ("Bookworm") AWS AMI, $HOME directories have perms 0755:

        $ ls -la /home
        total 12
        drwxr-xr-x  3 root  root  4096 Jul 14 22:32 .
        drwxr-xr-x 18 root  root  4096 Jul 14 22:32 ..
        drwxr-xr-x  3 admin admin 4096 Jul 14 22:32 admin

--
a l a n   d.   s a l e w s k i
ads@salewski.email
salew...@att.net
https://github.com/salewski

Reply via email to