From owner-freebsd-security  Sun May  5 09:02:49 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id JAA24402
          for security-outgoing; Sun, 5 May 1996 09:02:49 -0700 (PDT)
Received: from kdat.calpoly.edu (kdat.csc.calpoly.edu [129.65.54.101])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id JAA24396
          for <security@freebsd.org>; Sun, 5 May 1996 09:02:47 -0700 (PDT)
Received: (from nlawson@localhost) by kdat.calpoly.edu (8.6.12/N8) id JAA20318; Sun, 5 May 1996 09:02:40 -0700
From: Nathan Lawson <nlawson@kdat.csc.calpoly.edu>
Message-Id: <199605051602.JAA20318@kdat.calpoly.edu>
Subject: Re: dot.cshrc and weird umask value
To: nash@mcs.com
Date: Sun, 5 May 1996 09:02:39 -0700 (PDT)
Cc: security@freebsd.org
In-Reply-To: <199605051404.JAA01310@zen.nash.org> from "Alex Nash" at May 5, 96 09:04:49 am
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> > Can anyone tell me why on FreeBSD (the same with BSD/OS) there is the umask
> > value 2 ???? This simply couses producing group writable files. Imagine the
> > person which created .forward file, anyone in his group can modify this to
> > reforward files or duplicate mails. 
> > 
> > This is in /usr/share/skel/dot.cshrc. I know that everyone can set proper
> > value of umask but some not experienced users do not know about it. And even
> > experienced administrators belive that the distribution skeleton files are
> > good enough to copy then into user directory. Is there a reason for this ????
> 
>   UNIQ GROUP
> 
>      This model of uid/gid administration allows far greater flexibility that
>      lumping users into groups and having to muck with the umask when working
>      in a shared area.
> 
>      I have been using this model for almost 10 years and found that it works
>      for most situations, and has never gotten in the way.  (Rod Grimes)

Unfortunately, this solution does not scale well to an enterprise-wide
network as your groups file grows ever larger.  Remember it's not hashed like
the pwd.db, and that's reason enough for me to have modified adduser to not
support that scheme.

-- 
Nate Lawson                  "There are a thousand hacking at the branches of
CPE Student                   evil to one who is striking at the root."
CSL Admin                              -- Henry David Thoreau, 'Walden', 1854