Debian Bug report logs - #581666
base-files: default umask 022 is too permissive

version graph

Package: base-files; Maintainer for base-files is Santiago Vila <sanvila@debian.org>; Source for base-files is src:base-files.

Reported by: Christoph Anton Mitterer <calestyo@scientia.net>

Date: Fri, 14 May 2010 19:51:02 UTC

Severity: normal

Found in version base-files/5.4

Done: Santiago Vila <sanvila@unex.es>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#581666; Package base-files. (Fri, 14 May 2010 19:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
New Bug report received and forwarded. Copy sent to Santiago Vila <sanvila@debian.org>. (Fri, 14 May 2010 19:51:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: base-files: default umask 022 is too permissive
Date: Fri, 14 May 2010 20:16:48 +0200
Package: base-files
Version: 5.4
Severity: normal

Hi.

Even when considering #248140 and #581434 I'd say that
a umask of 002 is far too permissive.


1) Generally it's always the best idea to have the strictest
or most secure default, which is of course 002.
Even when user private groups are default.
A sysadmin will recognise if he/his users want to have 022
very quickly, but the other way round, permissions would be
to open and no one might recongnise.

2) Even in case of user private groups 002 is not necessarily
what one wants.
Many people add user B to user A's group probably just that B is
able to read files from a, but not to read/write.


Conclusion:
Debian should ship with secure system wide defaults.
Pragmatically 022 (or even something more strict).

And either root or the single users should have to manually
choose when they want to open things up.


Cheers,
Chris.


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.33-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages base-files depends on:
ii  gawk [awk]                1:3.1.7.dfsg-5 GNU awk, a pattern scanning and pr
ii  mawk [awk]                1.3.3-15       a pattern scanning and text proces
ii  original-awk [awk]        2010-02-08-1   The original awk described in "The

base-files recommends no packages.

base-files suggests no packages.

-- no debconf information




Reply sent to Santiago Vila <sanvila@unex.es>:
You have taken responsibility. (Fri, 14 May 2010 23:12:03 GMT) Full text and rfc822 format available.

Notification sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Bug acknowledged by developer. (Fri, 14 May 2010 23:12:04 GMT) Full text and rfc822 format available.

Message #10 received at 581666-done@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Christoph Anton Mitterer <calestyo@scientia.net>, 581666-done@bugs.debian.org
Subject: Re: Bug#581666: base-files: default umask 022 is too permissive
Date: Sat, 15 May 2010 01:10:24 +0200 (CEST)
On Fri, 14 May 2010, Christoph Anton Mitterer wrote:

> Package: base-files
> Version: 5.4
> Severity: normal
> 
> Hi.
> 
> Even when considering #248140 and #581434 I'd say that
> a umask of 002 is far too permissive.
> 
> 
> 1) Generally it's always the best idea to have the strictest
> or most secure default, which is of course 002.
> Even when user private groups are default.
> A sysadmin will recognise if he/his users want to have 022
> very quickly, but the other way round, permissions would be
> to open and no one might recongnise.
> 
> 2) Even in case of user private groups 002 is not necessarily
> what one wants.
> Many people add user B to user A's group probably just that B is
> able to read files from a, but not to read/write.
> 
> 
> Conclusion:
> Debian should ship with secure system wide defaults.
> Pragmatically 022 (or even something more strict).
> 
> And either root or the single users should have to manually
> choose when they want to open things up.

I have just changed the default umask in /etc/profile to 002.
This is just a default. In no way such setting is an imposition on the
user, as /etc/profile is a configuration file that the user is completely
free to change, and the changes are preserved on upgrades.

There will be cases where 002 is better than 022, and there will be
cases where 022 is better than 002. If you think 002 is not good for
you, please change it in your system. If you think I was wrong by
changing the default, and you are a Debian maintainer, please use the
Debian Constitution to override the decision.

Other than that, I think that submitting a new bug report in the
opposite sense of the current default is completely unacceptable and
tasteless.




Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#581666; Package base-files. (Fri, 14 May 2010 23:36:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. (Fri, 14 May 2010 23:36:05 GMT) Full text and rfc822 format available.

Message #15 received at 581666@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: 581666@bugs.debian.org
Subject: Re: Bug#581666: base-files: default umask 022 is too permissive
Date: Sat, 15 May 2010 01:33:28 +0200
[Message part 1 (text/plain, inline)]
On Sat, 2010-05-15 at 01:10 +0200, Santiago Vila wrote:
> I have just changed the default umask in /etc/profile to 002.
> This is just a default. In no way such setting is an imposition on the
> user, as /etc/profile is a configuration file that the user is completely
> free to change, and the changes are preserved on upgrades.
Of course a user can change this,.. but I guess many "normal" users
never stumble across it and will simply leave the new default.

With such an argument ("everybody can change it") we could also, e.g.
install telnetd per default (probably not that secure), or add any user
to the root group per default...


> There will be cases where 002 is better than 022, and there will be
> cases where 022 is better than 002.
Fully agree with that... but I'd suggest if different ways conflict, one
should choose the one, which is the "most secure".


> If you think 002 is not good for
> you, please change it in your system.
Well I do not "complain" for myself. I noticed the change and could
simply keep the old scheme or even 077.


> If you think I was wrong by
> changing the default, and you are a Debian maintainer, please use the
> Debian Constitution to override the decision.
No,.. I'm not... at least not in the foreseeable future.


> Other than that, I think that submitting a new bug report in the
> opposite sense of the current default is completely unacceptable and
> tasteless.
I definitely did not want to offend you in any way.
Anyway, IMHO the new change is a bad idea, therefore (out of the the
wish to improve Debian) I reported this (fully knowing, that you just
change it) in order to let you perhaps reconsider...
Thought that one doesn't have to be DD for this.


Cheers,
Chris.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#581666; Package base-files. (Fri, 14 May 2010 23:54:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. (Fri, 14 May 2010 23:54:02 GMT) Full text and rfc822 format available.

Message #20 received at 581666@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Christoph Anton Mitterer <calestyo@scientia.net>, 581666@bugs.debian.org
Subject: Re: Bug#581666: base-files: default umask 022 is too permissive
Date: Sat, 15 May 2010 01:51:33 +0200 (CEST)
On Sat, 15 May 2010, Christoph Anton Mitterer wrote:

> On Sat, 2010-05-15 at 01:10 +0200, Santiago Vila wrote:
> > I have just changed the default umask in /etc/profile to 002.
> > This is just a default. In no way such setting is an imposition on the
> > user, as /etc/profile is a configuration file that the user is completely
> > free to change, and the changes are preserved on upgrades.
> Of course a user can change this,.. but I guess many "normal" users
> never stumble across it and will simply leave the new default.
> 
> With such an argument ("everybody can change it") we could also, e.g.
> install telnetd per default (probably not that secure), or add any user
> to the root group per default...

Please note that the argument was not just "everybody can change it",
but instead "A lot of people consider the new default to be better than
the old one, and those who do not consider it better can change it anyway".

Your example would be good if there were a significant number of people
in favour of installing telnetd by default, or in favour of adding any
user to the root group by default, but I guess such is not the case.
 
> > There will be cases where 002 is better than 022, and there will be
> > cases where 022 is better than 002.
> Fully agree with that... but I'd suggest if different ways conflict, one
> should choose the one, which is the "most secure".

On systems with User Private Groups, like Debian, 002 is as secure as 022.

> > If you think 002 is not good for
> > you, please change it in your system.
> Well I do not "complain" for myself. I noticed the change and could
> simply keep the old scheme or even 077.

Exactly. I will keep 022 in my system.

> > If you think I was wrong by
> > changing the default, and you are a Debian maintainer, please use the
> > Debian Constitution to override the decision.
> No,.. I'm not... at least not in the foreseeable future.
> 
> 
> > Other than that, I think that submitting a new bug report in the
> > opposite sense of the current default is completely unacceptable and
> > tasteless.
> I definitely did not want to offend you in any way.
> Anyway, IMHO the new change is a bad idea, therefore (out of the the
> wish to improve Debian) I reported this (fully knowing, that you just
> change it) in order to let you perhaps reconsider...
> Thought that one doesn't have to be DD for this.

Obviously not. I just wanted you to realize that having a bug saying
"you should do this" and another one saying "you should not do this"
at the same time is not nice at all.

There is a discussion in debian-devel. That is the preferred place to
discuss about this, much better than a new bug report.




Information forwarded to debian-bugs-dist@lists.debian.org, Santiago Vila <sanvila@debian.org>:
Bug#581666; Package base-files. (Sat, 15 May 2010 00:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Santiago Vila <sanvila@debian.org>. (Sat, 15 May 2010 00:12:03 GMT) Full text and rfc822 format available.

Message #25 received at 581666@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: 581666@bugs.debian.org
Subject: Re: Bug#581666: base-files: default umask 022 is too permissive
Date: Sat, 15 May 2010 02:08:25 +0200
[Message part 1 (text/plain, inline)]
Hi Santiago.


You'll find a post at d-d very soon.
Please do not feel that it is about to attack you....

On Sat, 2010-05-15 at 01:51 +0200, Santiago Vila wrote:
> Please note that the argument was not just "everybody can change it",
> but instead "A lot of people consider the new default to be better than
> the old one, and those who do not consider it better can change it anyway".
...I was aware of the thread there and that you just did what a majority
wanted...
Nevertheless,... the majority is not always right (especially in terms
of security issues)...


> Your example would be good if there were a significant number of people
> in favour of installing telnetd by default, or in favour of adding any
> user to the root group by default, but I guess such is not the case.
Well,.. probably.
Anyway,.. I see a trend in Debian to open up more and more and I'd say
Debian should be secure and hardened by default.
That's why I'd always choose hardened config, even if the majority of
all users will have to change it.


> On systems with User Private Groups, like Debian, 002 is as secure as 022.
At a first glance it seems so, at least until no one adds user B to user
A's group...but I'm sceptic that we've really seen all follow-ups and
side effects of such a change.


btw: Is there any other distro which has 002 as default? At least non
I'd know about...


> > Well I do not "complain" for myself. I noticed the change and could
> > simply keep the old scheme or even 077.
> Exactly. I will keep 022 in my system.
So do you, personally, think that it's a good change?


> Obviously not. I just wanted you to realize that having a bug saying
> "you should do this" and another one saying "you should not do this"
> at the same time is not nice at all.
I did not see this in the first place, so sorry for that.


Cheers,
Chris.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 12 Jun 2010 07:37:18 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 10:46:33 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.