Re: Vulnerability in pcs or is it in more generic code?
On Mon, 2022-09-05 at 21:38 +0200, Ola Lundqvist wrote: > I agree that it is good to fix the pcs package, but shouldn't we fix > the default umask in general? > I would argue that the default umask is insecure. bookworm login sets new user home directories to secure permissions: $ grep -E 'HOME_MODE\s*[0-9]' /etc/login.defs #HOME_MODE 0700 This somewhat mitigates, but not completely, the umask being insecure: $ grep -E 'UMASK\s*[0-9]' /etc/login.defs UMASK022 I can't find any bugs open about changing the default umask, but it was mentioned in replies to the recent adduser thread: https://lists.debian.org/msgid-search/yiejaly0ny0+0...@torres.zugschlus.de -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Vulnerability in pcs or is it in more generic code?
Hi fellow Debian LTS and Debian Security memebers When triaging the packages for LTS I looked into the package pcs. I saw that it was already added to DSA needed so I have added it to DLA needed as well. However when reading the correction for it I started to think that the vulnerability may not be in PCS itself, but rather in Thin::Backends::UnixServer::connect because the correction is to override that function with a more secure umask. I agree that it is good to fix the pcs package, but shouldn't we fix the default umask in general? I would argue that the default umask is insecure. What do you think? Cheers // Ola -- --- Inguza Technology AB --- MSc in Information Technology | o...@inguza.como...@debian.org| | http://inguza.com/Mobile: +46 (0)70-332 1551 | ---