<div>// Ola</div><div><br></div><div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div><div><font face="courier new, monospace" size="1"> --- Inguza Technology AB ---MSc in Information Technology ----</font></div><div><font face="courier new, monospace" size="1">| </font><a href="mailto:ola@inguza.com" style="font-family:"courier new",monospace;font-size:x-small" target="_blank">ola@inguza.com</a><span
I agree that it is good to fix the pcs package, but shouldn't we fix
the default umask in general?
I would argue that the default umask is insecure.
On Mon, 2022-09-05 at 21:38 +0200, Ola Lundqvist wrote:
I agree that it is good to fix the pcs package, but shouldn't we fix
the default umask in general?
I would argue that the default umask is insecure.
bookworm login sets new user home directories to secure permissions:
$ grep -E 'HOME_MODE\s*[0-9]' /etc/login.defs
#HOME_MODE 0700
This somewhat mitigates, but not completely, the umask being insecure:
$ grep -E 'UMASK\s*[0-9]' /etc/login.defs
UMASK 022
I can't find any bugs open about changing the default umask,
but it was mentioned in replies to the recent adduser thread:
https://lists.debian.org/msgid-search/YieJALY0ny0+07pw@torres.zugschlus.de
--
bye,
pabs
https://wiki.debian.org/PaulWise
I see that I was not clear what I meant with "in general" :-)
Here I found how the generic source code looks like: https://rubydoc.info/gems/thin/1.3.1/Thin%2FBackends%2FUnixServer:connect
You can see the umask(0) there.
That is what I think is insecure, not pcs itself.
But I think Thin::Backends::UnixServer#connect is still insecure.
On Fri, 2022-09-09 at 22:41 +0200, Ola Lundqvist wrote:
I see that I was not clear what I meant with "in general" :-)
Woops, sorry for the noise :)
Here I found how the generic source code looks like:
https://rubydoc.info/gems/thin/1.3.1/Thin%2FBackends%2FUnixServer:connect
You can see the umask(0) there.
That is what I think is insecure, not pcs itself.
Agreed.
But I think Thin::Backends::UnixServer#connect is still insecure.
It looks like the issue was introduced in this pull request:
https://github.com/macournoyer/thin/pull/28
It sounds like unicorn might have the same issue as thin.
Looking at the unicorn code, it sets the default umask to 0
when the umask option is not set, so not quite as bad but still.
The justification for the default umask of 0 in unicorn is:
# Typically UNIX domain sockets are created with more liberal
# file permissions than the rest of the application. By default,
# we create UNIX domain sockets to be readable and writable by
# all local users to give them the same accessibility as
# locally-bound TCP listeners.
So the choice of umask 0 is deliberate in unicorn and the thin folks
copied that choice and dropped the possibility of overriding it,
since they did't have an options argument for the function.
Since UNIX domain sockets are often used for situations that are not
like localhost TCP sockets, that was probably the wrong choice, but
the unicorn/thin folks are likely from the web developer community,
which is mostly focused on HTTP and TCP and often use localhost for development, so it was the right choice within their bubble.
I feel like the APIs of both thin and unicorn need redesigning so that
the choice of umask to use must be made by the caller. Then the web
developer community can use 0 and others will choose a safe value.
Really the web developer community shouldn't use 0 either but I expect
that convincing them of that might not be possible.
I'm not sure how palatable the API change will be to thin/unicorn.
--
bye,
pabs
https://wiki.debian.org/PaulWise
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 297 |
Nodes: | 16 (2 / 14) |
Uptime: | 07:38:14 |
Calls: | 6,666 |
Files: | 12,213 |
Messages: | 5,336,117 |