Problem: Users of Redhat 7 may have their umask set insecurely while acting as root. Severity: Medium/Low Description: The Redhat useradd script creates a group for the new user with the same name as the username by default. When the user logs in, any shell that uses /etc/profile will set the umask to 002 if the user's username and groupname match and their uid is greater than 14. If the user then issues su to become root without specifying the -l option the root account inherits the umask of 002. As root the user may then create files with somewhat insecure permissions. Redhat seemed to understand that system users should have a umask of 022, because /etc/profile will set the umask that way for users loging in with a uid less than 14, but they forgot about su. The offending lines in /etc/profile: ... if [ `id -gn` = `id -un` -a `id -u` -gt 14 ]; then umask 002 else umask 022 fi ... The fix: Get rid of the if-statement in /etc/profile and replace it with 'umask 022' (no quotes). Andrew Jones ------------- Computer Science and Physics student at the University of Northern Iowa
This archive was generated by hypermail 2b30 : Sun Apr 22 2001 - 14:28:06 PDT