umask help

[George Goodman]

Hello Dave,

Thanks for the pointers...

> I've tried like hell to duplicate this problem, but cannot on
> a default 3.9 system.  However, I have had it in the past.
>
> I conclude that your problem is that you have an /etc/profile
> file and that a umask of 0 or something else 'bad' is set therein.

Ok, I looked through the various profile and .profile files on the
system. I find one .profile in / and another in /root. I am certain
the one in /root is the one that is having the effect because it is
where I have set the editor, and that is working.

(I have changed to mg by the way, so will spend some time practising on that)

> If you don't have an /etc/profile file (I do not, for example),
> then I cannot guess the source of your error, without more work,
> and I'm nodding off.

There is no /etc/profile file, but I have removed the umask setting in
my /root/.profile file and rebooted the machine. If I issue the umask
command, I get 0022, so I will wait till tomorrow to see what the
insecurity report says and report back.

> Do tell me if the problem is in /etc/profile

No, I think not.

> The /etc/security script is *naive* in the way it decides what root's
> umask is.  It is *guessing*.  (In my old profile, I had branches based
> on uid, so that users got one umask (002) and root got 022.  The script
> doesn't discriminate. [Study the script, it's fun.])

I have had a look see. There seems to be no mention of bash there, so
maybe I have messed something up by installing bash?

> Strictly speaking, no, the umask doesn't set perms.  It is a mask
> for perms for chmod(2) and other system calls.  The effect is as
> you say though.  The difference is subtle, but remember it for the
> future.

Ok, I understand completely, thanks.

> Call the "owner" the "user" -- <snip> "User Group Other" in Unix.

Cool, thanks.

> If you want, you can put debugging statements in the /etc/security
> script or turn on command echoing (man sh(1), see "set +x" and
> related sets.)

I may do this tomorrow if all is still not well.

> Something to recall at this point is that new users get their .profile
> and such from files in /etc/skel  That's irrelevant to this problem,
> but browse those files before you create new users, to insure that they
> are as you wish, and guard them against updates of the OS.

Thanks, will do... I am still very much "playing" on a test machine
that only I have access to, so as I work through all the stuff I Will
eventually get to users. Fortunately there will only ever be very few
admin users, so that side is not too much stress for me.

The book Absolute OpenBSD is excellent, thanks whoever recommended it,
and now I am half way through "FreeBSD and OpenBSD Security" from
O'Reilly and that too seems excellent. I am really enjoying OBSD, and
find it MUCH more confidence inspiring than Linux. I'm glad I finally
have a chance to enjoy my work so much, windoze was always a boring
burden.

Cheers,

GG.