Explicit advice to choose a secure umask

Eric V. Smith eric at trueblade.com
Fri Aug 1 12:11:54 UTC 2014 

On 8/1/2014 4:10 AM, Ben Finney wrote:
> On 01-Aug-2014, Ethan Furman wrote:
>> It is certainly better than the status quo, but I must admit I don't
>> understand why you place more importance on following a now
>> known-to-be-insecure default rather than going with a
>> secure-by-default design.
> 
> The default of “set the umask to 0” was always known to produce an
> insecure program; that's exactly why there is a parameter to set an
> explicitly-chosen umask value as chosen by the daemon programmer.
> 
> The default of 0 is because there is no unambiguous, obvious single
> value to set instead. The reason given in the Stevens reference is
> because the programmer is assumed to know better than the library what
> mode to create files with.
> 
>> If a daemon user needs world-writable files it is not hard to change
>> the daemon umask setting to 0, but by having it be something else,
>> such as 077
> 
> There's no single umask value which makes sense by default. If you
> know of one, I will need more than anecdote or personal preference, I
> will need to see substantial evidence in favour of daemon programmers,
> on all Unix variants Python supports, expecting *one specific*
> behaviour over all others.
> 
> Moreover, “set the umask to 0 and let the specific daemon program
> decide for itself” is the conventional behaviour for Unix daemons
> everywhere I've seen. We're implementing conventional behaviour for
> Unix daemons.
> 
> So that's a strong reason not to deviate from that without a clearly
> better setting — and “something else, such as foo” is not a clear
> mandate for that specific value.
> 
>> then all who are ignorant of the trap still won't fall into it
> 
> So the best I can get from that is that you'd prefer no default, and
> instead raise an exception if no umask value is specified. Yes?

I do think raising an exception if no umask were supplied would be
preferable to an insecure default, even one that's documented as such. I
realize you're looking for more than random opinions, but I'm not sure
where you'd find that. But here's my random opinion: 077 would be a
reasonable default.

I've read Stevens (and my claim to fame: answered a question of his on a
mailing way back in the day), and frankly the insecure umask issue
completely escaped me.

Eric.

More information about the python-daemon-devel mailing list