Subject: misc/20509: umask in skel configuration files is set to a dangerous value
To: None <gnats-bugs@gnats.netbsd.org>
From: None <sobrado@acm.org>
List: netbsd-bugs
Date: 02/27/2003 02:08:24
>Number: 20509
>Category: misc
>Synopsis: umask in skel configuration files is set to a dangerous value
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: misc-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Feb 27 02:09:01 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Igor Sobrado
>Release: 1.6
>Organization:
University of Oviedo
>Environment:
NetBSD ns1.localnet 1.6 NetBSD 1.6 (GENERIC) #0: Sun Sep 8 19:43:40 UTC 2002
autobuild@tgm.daemon.org:/autobuild/i386/OBJ/autobuild/src/sys/arch/i386/compile/GENERIC i386
>Description:
The file creation mask is set to value 2 in both /etc/skel/.cshrc
and /etc/skel/.profile. This is a dangerous value for umask,
allowing a careless user to remove files from other users in the
same group (users' home directories are not protected with the
sticky bit).
>How-To-Repeat:
The problem is easy to repeat creating a user account with the
default login scripts:
# useradd [...] -m -k /etc/skel [...]
>Fix:
I recommend changing the value of umask to 022 instead of 2
in both /etc/skel/.cshrc and /etc/skel/.profile; alternatively,
it can be set up to 077 but, IMHO, it is against the open
behaviour of NetBSD.
>Release-Note:
>Audit-Trail:
>Unformatted: