oss-sec mailing list archives
Re: Debian FEATURE: /home/loser is with permissions 755, default umask 0022
From: Eli Schwartz <eschwartz () archlinux org>
Date: Mon, 12 Oct 2020 16:13:05 -0400
On 10/12/20 3:41 PM, Solar Designer wrote:
Hi, A problem with Georgi's message that started this thread, besides its overall tone, is that it singled out Debian. In my experience, most Unix-like distributions use insecure defaults like this. On Thu, Oct 08, 2020 at 08:07:10AM +1100, Brian May wrote:Jeremy Stanley <fungi () yuggoth org> writes:As a long-time Debian user myself, I agree that this default is showing its age, and can represent a risk for operators who overlook it.Yes, I agree the default should be changed.I also think the defaults should be changed, and not only on Debian. Special cases like serving web pages do not justify insecure default home directory permissions - rather, they're reasons to provide extra setup instructions in web server packages, etc.
https://wiki.archlinux.org/index.php/Access_Control_Lists#Granting_execution_permissions_for_private_files_to_a_web_server This seems like a fairly solvable problem. By default, Arch Linux's login.defs umask is 077, so home directories created by useradd cannot be read at all by other users. (It is then overridden by /etc/profile to 022.)
Just note that there is a reasonable amount of software install instructions that assume umask is 022 and will install software with unusable permissions if it is not.This is indeed a problem. When building software manually (not packaged) and wanting to install it on a system globally (e.g., in /usr/local), a workaround is to use "(umask 022; make install)" - that is, temporarily relax the umask to 022 just for that one command by running it in a subshell. RPM typically invokes "umask 022" for all(?) package build scripts, including the %install section, which lets it build proper packages even when run on a system with umask 077 even when the packaged software's install scripts assume umask 022. I think package install scripts should learn not to assume umask, or at least not when installing software globally. When installing to a subdirectory of the user's home directory, it makes sense to honor the user's umask, but those cases probably can't be recognized reliably. It's a pity that software will just assume it's to be installed globally (or with equivalent permissions), but the current reality is no better where things break arbitrarily (e.g., some files mode 644, some 600) when installing unprepared software with umask 077.
It depends how the software is installed, surely? Some things use mkdir/cp, some use install (which defaults to 755). Some build systems, like meson, have a core setting for the installation umask, ignoring the process umask in favor of 022 by default or whatever configuration option was passed.
I think distros have to take the first step and change the default umask to 077. Until enough distros do, software maintainers won't have the incentive to support that or won't even know about the problem. Alexander
-- Eli Schwartz Arch Linux Bug Wrangler and Trusted User
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Debian FEATURE: /home/loser is with permissions 755, default umask 0022 Georgi Guninski (Oct 07)
- Re: Debian FEATURE: /home/loser is with permissions 755, default umask 0022 Jeremy Stanley (Oct 07)
- Re: Debian FEATURE: /home/loser is with permissions 755, default umask 0022 Noel Kuntze (Oct 07)
- Re: Debian FEATURE: /home/loser is with permissions 755, default umask 0022 Brian May (Oct 07)
- Re: Debian FEATURE: /home/loser is with permissions 755, default umask 0022 Solar Designer (Oct 12)
- Re: Debian FEATURE: /home/loser is with permissions 755, default umask 0022 Kurt H Maier (Oct 12)
- Re: Debian FEATURE: /home/loser is with permissions 755, default umask 0022 Jeffrey Walton (Oct 12)
- Re: Debian FEATURE: /home/loser is with permissions 755, default umask 0022 Brian May (Oct 12)
- Re: Debian FEATURE: /home/loser is with permissions 755, default umask 0022 Russ Allbery (Oct 12)
- Re: Debian FEATURE: /home/loser is with permissions 755, default umask 0022 Jeremy Stanley (Oct 07)
- Re: Debian FEATURE: /home/loser is with permissions 755, default umask 0022 Eli Schwartz (Oct 13)
- Re: Debian FEATURE: /home/loser is with permissions 755, default umask 0022 Seth Arnold (Oct 07)
- Re: Debian FEATURE: /home/loser is with permissions 755, default umask 0022 Bob Friesenhahn (Oct 08)
- Re: Debian FEATURE: /home/loser is with permissions 755, default umask 0022 Seth Arnold (Oct 08)