[20424] in bugtraq
Re: Redhat 7 insecure umask
daemon@ATHENA.MIT.EDU (Warren Young)
Wed Apr 25 01:39:35 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3AE59822.41137804@etr-usa.com>
Date: Tue, 24 Apr 2001 09:13:38 -0600
Reply-To: Warren Young <warren@ETR-USA.COM>
From: Warren Young <warren@ETR-USA.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Rebecca Kastl wrote:
>
> On Fri, 20 Apr 2001, Drew Jones wrote:
>
> > Problem:
> > Users of Redhat 7 may have their umask set insecurely while acting
> > as root.
>
> Maybe I'm missing something here, but isn't the "problem" with su, not
> /etc/profile?
su(1) on AT&T-derived Unixes fix this: there's a file /etc/defaults/su
(IIRC) which sets certain user defaults whether you do "su -" or just
plain "su". I've used both, but I think I prefer the Red Hat way: it's
more predictable because you know that without the - you keep your
current environment, and with it you overwrite your current environment
with the target user's. With the AT&T way, you don't know with plain
"su" what your environment will look like without looking at
/etc/defaults/su first.
--
Warren
