[20399] in bugtraq
Re: Redhat 7 insecure umask
daemon@ATHENA.MIT.EDU (Jim Knoble)
Mon Apr 23 21:10:03 2001
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="6zdv2QT/q3FMhpsV"
Content-Disposition: inline
Message-ID: <20010422170507.C1235@quipu.half.pint-stowp.cx>
Date: Sun, 22 Apr 2001 17:05:07 -0400
Reply-To: Jim Knoble <jmknoble@jmknoble.cx>
From: Jim Knoble <jmknoble@jmknoble.cx>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200104202041.PAA01007@dor1.lib.uni.edu>; from
drewj@DOR1.LIB.UNI.EDU on Fri, Apr 20, 2001 at 03:41:05PM -0500
--6zdv2QT/q3FMhpsV
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Circa 2001-Apr-20 15:41:05 -0500 dixit Drew Jones:
: Problem:
: Users of Redhat 7 may have their umask set insecurely while acting
: as root.
Red Hat has documented its "user-private group" scheme with 002 umask,
and its rationale, since at least 1995. Current documentation of that
for Red Hat Linux 7.1 is here:
http://www.redhat.com/support/manuals/RHL-7.1-Manual/ref-guide/s1-users-g=
roups-private-groups.html
This advisory implies that this is something new with Red Hat Linux
7.x; on the contrary, this practice dates back to at least Red Hat
Linux 2.1 from November 1995.
: Severity:
: Medium/Low
:=20
: Description:
: The Redhat useradd script creates a group for the new user with the
: same name as the username by default. When the user logs in, any
: shell that uses /etc/profile will set the umask to 002 if the user's
: username and groupname match and their uid is greater than 14. If
: the user then issues su to become root without specifying the -l
: option the root account inherits the umask of 002. As root the user
: may then create files with somewhat insecure permissions. Redhat
: seemed to understand that system users should have a umask of 022,
: because /etc/profile will set the umask that way for users loging in
: with a uid less than 14, but they forgot about su.
:=20
: The offending lines in /etc/profile:
: ...
: if [ `id -gn` =3D `id -un` -a `id -u` -gt 14 ]; then
: umask 002
: else
: umask 022
: fi
: ...
I wouldn't call these "offending". They actually work, just not for
'su'. Perhaps "the partially effective lines in /etc/profile" or even
"The relevant lines in /etc/profile" would be a more accurate way of
saying it.
: The fix:
: Get rid of the if-statement in /etc/profile and replace it with
: 'umask 022' (no quotes).
That fix, while effective, will negate the user-private group scheme.
Any one of the following solutions will work for default configurations
of Red Hat Linux without negating the user-private group scheme:
(1) [All versions of Red Hat Linux up to and including 7.1]
In /root/.bashrc:
umask 0022
Since both bash-1.x and 2.x read and execute ~/.bashrc when a
shell is interactive, regardless of whether it's a login shell,
this will work for all cases where root's shell is /bin/bash (the
default system setting).
If root's shell is something other than /bin/bash, either change
root's shell back to the default setting of /bin/bash, or modify
the other shell's initialization files accordingly.
(2) [All versions of Red Hat Linux from Red Hat Linux 4.2 up to and
including 7.1; may apply to older versions as well]
In /etc/bashrc, duplicate the partially effective 'if' statement
from /etc/profile listed above.
By default in Red Hat Linux, ~/.bashrc files (both /root/.bashrc
and /etc/skel/.bashrc) read /etc/bashrc. This performs the same
umask setting for interactive-but-non-login shells that the one
in /etc/profile does for login shells.
If root's shell is something other than the default /bin/bash,
either change root's shell back to /bin/bash, or modify the other
shell's initialization files accordingly.
(3) [All versions of Red Hat Linux up to and including 7.1]
su
cd /bin
mv su su.bare
cat >su <<EOF
#!/bin/sh
umask 0022
exec /bin/su.bare "$@"
EOF
chmod 0755 su
(4) [All versions of Red Hat Linux up to and including 7.1]
=20
Use sudo instead of su:
=20
http://www.courtesan.com/courtesan/products/sudo/
=09
sudo allows the default umask to be configured using the
'Default umask' directive in /etc/sudoers; for example:
=20
Default umask =3D 0022
If unspecified, the default umask is whatever was configured when
sudo was built.
Cheers.
--=20
jim knoble | jmknoble@jmknoble.cx | http://www.jmknoble.cx/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
--6zdv2QT/q3FMhpsV
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (Linux)
Comment: finger jmknoble@pobox.com for GnuPG public key
iEYEARECAAYFAjrjR4MACgkQKJ/qqBOBFJH0SgCglwmejjW9dgmojMkDRGIHPiOG
/KAAn366IvBV17ImKxMY2JK/46pKcQeA
=f5nF
-----END PGP SIGNATURE-----
--6zdv2QT/q3FMhpsV--
