umask help

Woodchuck djv at bedford.net
Fri Aug 25 00:21:14 PDT 2006 

On Fri, 25 Aug 2006, George Goodman wrote:

> Hi all, I have now read a few books and am well on my way, thanks for
> all the help before.
> 
> On my daily insecurity report I am getting:
> 
> Checking root sh paths, umask values:
> /etc/profile /root/.profile
> Root umask is group writable
> Root umask is other writable
> 
> I have spent a lot of time trying to discover what is wrong.
> prevoiusly I tried changing the umask from 022 to 0022 to see if that
> would sort things out, but no.

umask 022 and umask 0022 are the same.  But this is not your problem.

> 
> Checking root sh paths, umask values:
> /etc/profile /root/.profile
> Root umask is group writable
> Root umask is other writable

I've tried like hell to duplicate this problem, but cannot on
a default 3.9 system.  However, I have had it in the past.

I conclude that your problem is that you have an /etc/profile
file and that a umask of 0 or something else 'bad' is set therein.

If you don't have an /etc/profile file (I do not, for example),
then I cannot guess the source of your error, without more work,
and I'm nodding off.

Do tell me if the problem is in /etc/profile

BSD 3.9 does not ship with a default /etc/profile, however old
versions of BSD did, I think.  If I put the version of /etc/profile
that I was running under 3.1 [it was laying around on the floor]
into /etc, then I get your error message.  But I may have hacked
that file (did hack it, just can't remember where).  This /etc/profile
may have shipped with bash, I used to use bash.

(Current NetBSD 3.0.1 ships with an /etc/profile, but it only
has a couple of comments in it.)

The /etc/security script is *naive* in the way it decides what root's
umask is.  It is *guessing*.  (In my old profile, I had branches based
on uid, so that users got one umask (002) and root got 022.  The script
doesn't discriminate. [Study the script, it's fun.])

> So as you can see, my umask is set to 0022 (was 022) which I thought
> was correct. The reading I have done suggests that a umask of 022 sets
> directory permissions of 755 and file permissions of 644.

Strictly speaking, no, the umask doesn't set perms.  It is a mask
for perms for chmod(2) and other system calls.  The effect is as
you say though.  The difference is subtle, but remember it for the
future.

> >From what I understand 755 on a directory will give owner full access,
> and others read and execute (browse) but no write. Likewise on files,
> 644 gives owner read and write, and others read only. Have I
> misunderstood something?

No. 

Call the "owner" the "user" -- this is bizarre unix terminology.
It's "Owner Group World" in VMS and I think some other OS (windoze
NT maybe?), but "User Group Other" in Unix. VMS had better nomenclature
in this area.  Confusing the nomenclature can bite you when using
the symbolic mode in the chmod(1) command.  But real men use octal
anyway.

If you want, you can put debugging statements in the /etc/security
script or turn on command echoing (man sh(1), see "set +x" and
related sets.)

Something to recall at this point is that new users get their .profile
and such from files in /etc/skel  That's irrelevant to this problem,
but browse those files before you create new users, to insure that they
are as you wish, and guard them against updates of the OS.

Dave
-- 
Experience runs an expensive school, but fools will learn in no other.
                       -- Benjamin Franklin

More information about the Openbsd-newbies mailing list