Circa 2001-Apr-20 15:41:05 -0500 dixit Drew Jones: : Problem: : Users of Redhat 7 may have their umask set insecurely while acting : as root. Red Hat has documented its "user-private group" scheme with 002 umask, and its rationale, since at least 1995. Current documentation of that for Red Hat Linux 7.1 is here: http://www.redhat.com/support/manuals/RHL-7.1-Manual/ref-guide/s1-users-groups-private-groups.html This advisory implies that this is something new with Red Hat Linux 7.x; on the contrary, this practice dates back to at least Red Hat Linux 2.1 from November 1995. : Severity: : Medium/Low : : Description: : The Redhat useradd script creates a group for the new user with the : same name as the username by default. When the user logs in, any : shell that uses /etc/profile will set the umask to 002 if the user's : username and groupname match and their uid is greater than 14. If : the user then issues su to become root without specifying the -l : option the root account inherits the umask of 002. As root the user : may then create files with somewhat insecure permissions. Redhat : seemed to understand that system users should have a umask of 022, : because /etc/profile will set the umask that way for users loging in : with a uid less than 14, but they forgot about su. : : The offending lines in /etc/profile: : ... : if [ `id -gn` = `id -un` -a `id -u` -gt 14 ]; then : umask 002 : else : umask 022 : fi : ... I wouldn't call these "offending". They actually work, just not for 'su'. Perhaps "the partially effective lines in /etc/profile" or even "The relevant lines in /etc/profile" would be a more accurate way of saying it. : The fix: : Get rid of the if-statement in /etc/profile and replace it with : 'umask 022' (no quotes). That fix, while effective, will negate the user-private group scheme. Any one of the following solutions will work for default configurations of Red Hat Linux without negating the user-private group scheme: (1) [All versions of Red Hat Linux up to and including 7.1] In /root/.bashrc: umask 0022 Since both bash-1.x and 2.x read and execute ~/.bashrc when a shell is interactive, regardless of whether it's a login shell, this will work for all cases where root's shell is /bin/bash (the default system setting). If root's shell is something other than /bin/bash, either change root's shell back to the default setting of /bin/bash, or modify the other shell's initialization files accordingly. (2) [All versions of Red Hat Linux from Red Hat Linux 4.2 up to and including 7.1; may apply to older versions as well] In /etc/bashrc, duplicate the partially effective 'if' statement from /etc/profile listed above. By default in Red Hat Linux, ~/.bashrc files (both /root/.bashrc and /etc/skel/.bashrc) read /etc/bashrc. This performs the same umask setting for interactive-but-non-login shells that the one in /etc/profile does for login shells. If root's shell is something other than the default /bin/bash, either change root's shell back to /bin/bash, or modify the other shell's initialization files accordingly. (3) [All versions of Red Hat Linux up to and including 7.1] su cd /bin mv su su.bare cat >su <<EOF #!/bin/sh umask 0022 exec /bin/su.bare "$@" EOF chmod 0755 su (4) [All versions of Red Hat Linux up to and including 7.1] Use sudo instead of su: http://www.courtesan.com/courtesan/products/sudo/ sudo allows the default umask to be configured using the 'Default umask' directive in /etc/sudoers; for example: Default umask = 0022 If unspecified, the default umask is whatever was configured when sudo was built. Cheers. -- jim knoble | jmknobleat_private | http://www.jmknoble.cx/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
This archive was generated by hypermail 2b30 : Mon Apr 23 2001 - 18:08:48 PDT