:: Re: [DNG] Subject: Re: useradd defa…
Top Pagina
Delete this message
Reply to this message
Auteur: Boruch Baum
Datum:  
Aan: dng
Onderwerp: Re: [DNG] Subject: Re: useradd defaults
On 04/05/2016 01:33 AM, Robert Storey wrote:
>>> I'm getting a bit uncomfortable about starting this thread, because upon
>>> reflection, it seems that one consequence of setting the system-wide may
>>> be that the 027 umask will end up having some system account creating a
>>> file that should be world-readable or world-executable, but because of
>>> the umask, it now would not be, and so would break stuff. My intent was
>>> to protect data of one user from other users, which could be done by
>>> making the change in .profile or even in the default .bashrc.
>>>
>>
>> I was actually waiting for somebody to realise this before answering
>> your email. In a "Universal OS" there is much more than the
>> preferences of single specific users, or specific applications, or
>> specific environments. There is the necessity to accommodate a huge
>> number of different scenarios and use cases. In short, that's why you
>> have the umask set by default to 022. Any user can change this
>> behaviour to a more restrictive one, if they need so.
>
> Yes indeed - permission errors are among the most common difficulties that
> inexperienced users encounter when they first start with Linux. Long ago, I
> tried setting my own umask to 077, thinking that it would enhance my
> security. Didn't occur to me until later that it broke all the web pages I
> created and uploaded to my site, since no one but me could read them. Once
> I realized it, I was able to fix the problem with chmod, but it was easy
> enough to forget to do that when creating a new page, and I eventually
> decided the only sane solution was to go back to umask 022, which was the
> default.
>
> I ran into the above problem after I'd been using Linux for about five
> years, and I understood the cause once somebody complained to me that he
> couldn't read my site even though I still could. However, had I run into
> this difficulty earlier in my Linux career, I probably would not have been
> able to figure out the cause, and would have concluded that "Linux is no
> good." So I favor keeping the default umask at 022, and let users tweak
> their own .bashrc and .profile if they want more restrictive security.
>
> cheers,
> Robert

You and others on the list misunderstood my comment. I stand by my
original proposal to change the /etc/profile to either 027 or 077, for
the benefit of user accounts. My reservations arose when someone else on
the list 'corrected' me and suggesting applying that to pam_session
which I understand would apply it to system accounts also. On a
multi-user system like in real life your 'stuff' should be private until
you decide to make it public.


--
hkp://keys.gnupg.net
CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0