Date: Mon, 20 May 2002 00:16:15 +0100 From: Brian Somers <brian@Awfulhak.org> To: Marcel Moolenaar <marcel@xcllnt.net> Cc: "Crist J. Clark" <cjc@FreeBSD.ORG>, Brian Somers <brian@Awfulhak.org>, arch@FreeBSD.ORG Subject: Re: Restricting umasks in periodic scripts Message-ID: <200205192316.g4JNGFDV007627@hak.lan.Awfulhak.org> In-Reply-To: Message from Marcel Moolenaar <marcel@xcllnt.net> of "Sun, 19 May 2002 13:29:25 PDT." <20020519202925.GA17015@dhcp01.pn.xcllnt.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Sun, May 19, 2002 at 12:45:12AM -0700, Crist J. Clark wrote:
> >
> > As for -STABLE, I haven't really heard any complaints? Might be a bit
> > late to change the status quo before 4.6-RELEASE.
>
> Wouldn't it be a POLA violation anyway or is there enough security
> concern to overrule POLA?
Well, I guess that's why I'm soliciting comments.
I personally set $daily_local in /etc/periodic.conf to run things.
They're in the spirit of the existing periodic scripts - ie, they
just report on things and don't update system files, but if people out
there have been using $*_local to do other things like maintenance
tasks, a restrictive umask may break things.
The flip side of the argument is that our security scripts were
(until recently) creating world-readable temporary files in /var/run
that contained things such as output from ipfw(8) - something that a
non-privileged user shouldn't see. If *we*'re doing this, our users
are probably falling foul of the same sort of thing....
I'm leaning towards being cautious here. People ``know'' that the
default umask is 022. If they write stuff that depends on that
without explicitly setting the umask, I don't think it's up to us to
surprise them.
> --
> Marcel Moolenaar USPA: A-39004 marcel@xcllnt.net
--
Brian <brian@Awfulhak.org> <brian@freebsd-services.com>
<http://www.Awfulhak.org>; <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour ! <brian@[uk.]OpenBSD.org>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205192316.g4JNGFDV007627>