----- Original Message ----- > From: "Shawn Wells" <[email protected]> > Sent: Friday, April 18, 2014 5:54:27 AM > On 4/16/14, 9:43 AM, Jan Lieskovsky wrote: > Patch summary: > The current implementation of accounts_umask_etc_profile check is checking > just the first occurrence of umask keyword in /etc/profile file. But the last > occurrence is the one that's actually applied. This can be checked via > having: > > umask 077 > umask 022 > > in /etc/profile, login to a new log-in session for particular user (su - > $USER), > and running "umask" command without arguments (the last setting, e.g. 0022 is > reported as > the actual umask value used for file creation. Can be verified by checking > mode > of newly created file in that session). > > So instead of checking just first value (and possibly reporting > false-negative > test result), check all occurrences (and report proper result). > > Testing report: > The patch has been tested on RHEL-6 & works properly. > > My original thought process was "what if /etc/profile has if statements, > selecting different umasks for certain situations?"..... but really, the > deployment should never have a lesser umask. Changing the instance operation > to >= makes sense. > > ack
Thanks, Shawn. Yeah, looks even this version of this check might not be the last one - as you correctly pointed out the check should (yes) somehow determine / retrieve the proper umask setting within the possible if/else statements. But since checking all umask occurrences than just the first one is step forward, pushed this to master. We can fine-tune the if's later. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
