[20422] in bugtraq
Re: Redhat 7 insecure umask
daemon@ATHENA.MIT.EDU (Rebecca Kastl)
Wed Apr 25 01:18:12 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.30.0104241200250.22781-100000@7of9.neohapsis.com>
Date: Tue, 24 Apr 2001 12:37:28 -0500
Reply-To: Rebecca Kastl <rkastl@NEOHAPSIS.COM>
From: Rebecca Kastl <rkastl@NEOHAPSIS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.30.0104221420060.16293-100000@7of9.neohapsis.com>
On Sun, 22 Apr 2001, Rebecca Kastl wrote:
> From the su man page:
>
> -, -l, --login
> make the shell a login shell
>
> If the shell is not a login shell, then /etc/profile nor any .*shrc
> scripts are processed
Correction: In the case of bash, if the '-' or '-l' option to 'su' is not
specified, then /etc/profile and ~/.bash_profile are not executed. The
same holds true for ksh and sh in regards to /etc/profile and ~/.profile,
and /etc/profile and ~/.login for csh.
In the case of bash, /etc/bashrc and ~/.bashrc, and in the case of csh,
~/.cshrc will be processed, regardless.
In reference to the specific "problem" of su, the same holds true even if
one simply calls a shell without specifying that it be a login shell. So
the problem isn't even specifically related to su -- it comes down to
simply setting the 'umask' value appropriately and having an understanding
of how such values are handled depending on your platform.
To paraphrase something a friend once told me, "being a [UNIX
administrator] is not an entry level skill, but it can easily be an exit
level skill." Stay awake, stay employed.
--Rebecca Kastl
