Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20201012194139.GA30753@openwall.com>
Date: Mon, 12 Oct 2020 21:41:39 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Debian FEATURE: /home/loser is with permissions 755, default umask 0022

Hi,

A problem with Georgi's message that started this thread, besides its
overall tone, is that it singled out Debian.  In my experience, most
Unix-like distributions use insecure defaults like this.

On Thu, Oct 08, 2020 at 08:07:10AM +1100, Brian May wrote:
> Jeremy Stanley <fungi@...goth.org> writes:
> 
> > As a long-time Debian user myself, I agree that this default is
> > showing its age, and can represent a risk for operators who overlook
> > it.
> 
> Yes, I agree the default should be changed.

I also think the defaults should be changed, and not only on Debian.

Special cases like serving web pages do not justify insecure default
home directory permissions - rather, they're reasons to provide extra
setup instructions in web server packages, etc.

> Just note that there is a reasonable amount of software install
> instructions that assume umask is 022 and will install software with
> unusable permissions if it is not.

This is indeed a problem.  When building software manually (not
packaged) and wanting to install it on a system globally (e.g., in
/usr/local), a workaround is to use "(umask 022; make install)" - that
is, temporarily relax the umask to 022 just for that one command by
running it in a subshell.

RPM typically invokes "umask 022" for all(?) package build scripts,
including the %install section, which lets it build proper packages even
when run on a system with umask 077 even when the packaged software's
install scripts assume umask 022.

I think package install scripts should learn not to assume umask, or at
least not when installing software globally.  When installing to a
subdirectory of the user's home directory, it makes sense to honor the
user's umask, but those cases probably can't be recognized reliably.

It's a pity that software will just assume it's to be installed globally
(or with equivalent permissions), but the current reality is no better
where things break arbitrarily (e.g., some files mode 644, some 600)
when installing unprepared software with umask 077.

I think distros have to take the first step and change the default umask
to 077.  Until enough distros do, software maintainers won't have the
incentive to support that or won't even know about the problem.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.