umask help

Fri Aug 25 08:03:00 PDT 2006

On Fri, 25 Aug 2006, George Goodman wrote:

> Hello Dave,
> 
> Thanks for the pointers...
> 
> > I've tried like hell to duplicate this problem, but cannot on
> > a default 3.9 system.  However, I have had it in the past.
> >
> > I conclude that your problem is that you have an /etc/profile
> > file and that a umask of 0 or something else 'bad' is set therein.
> 
> Ok, I looked through the various profile and .profile files on the
> system. I find one .profile in / and another in /root. I am certain
> the one in /root is the one that is having the effect because it is
> where I have set the editor, and that is working.

But /etc/security checks several files.  It does not decide which
one is in effect.

> (I have changed to mg by the way, so will spend some time practising on that)
> 
> > If you don't have an /etc/profile file (I do not, for example),
> > then I cannot guess the source of your error, without more work,
> > and I'm nodding off.
> 
> There is no /etc/profile file, but I have removed the umask setting in
> my /root/.profile file and rebooted the machine. If I issue the umask
> command, I get 0022, so I will wait till tomorrow to see what the
> insecurity report says and report back.

I have never seen a 4-digit umask.  What shell are you using?

Your goal in all this is not to make /etc/security fall silent,
your goal is to have a secure umask for root.

You should set the umask you want deliberately.

Note that /etc/security doesn't know which shell you use, it just
checks certain files which are named right there in the script itself.

> > Do tell me if the problem is in /etc/profile
> 
> No, I think not.

OK.

> > The /etc/security script is *naive* in the way it decides what root's
> > umask is.  It is *guessing*.  (In my old profile, I had branches based
> > on uid, so that users got one umask (002) and root got 022.  The script
> > doesn't discriminate. [Study the script, it's fun.])
> 
> I have had a look see. There seems to be no mention of bash there, so
> maybe I have messed something up by installing bash?

Have you installed bash?  If you have and if it is root's shell,
then it is quite possible that

A hint: comments are another name for lie.  Look at what the code
actually does.  What it *ought* to do is run your default shell,
and see what the umask actually is, and report that.  What it does do
is poke around with heuristics and make what appears to be a bad guess.
Your umask is what it is, not what /etc/security says it is.

/etc/security is not holy grail.  Strictly advisory.  But tracking
down this bug is fun.

You're running 3.9?

Dave
-- 
Experience runs an expensive school, but fools will learn in no other.
                       -- Benjamin Franklin