Explicit advice to choose a secure umask
Ethan Furman
ethan at stoneleaf.us
Sat Aug 2 01:14:55 UTC 2014
On 08/01/2014 01:10 AM, Ben Finney wrote:
> On 01-Aug-2014, Ethan Furman wrote:
> The default of “set the umask to 0” was always known to produce an
> insecure program;
Known by whom? I certainly didn't know it.
> The default of 0 is because there is no unambiguous, obvious single
> value to set instead. The reason given in the Stevens reference is
> because the programmer is assumed to know better than the library what
> mode to create files with.
And when the programmer doesn't, why should the default be to create a security hole?
>> If a daemon user needs world-writable files it is not hard to change
>> the daemon umask setting to 0, but by having it be something else,
>> such as 077
>
> There's no single umask value which makes sense by default.
And yet you are fighting to keep the single default value that creates the biggest security hole.
> Moreover, “set the umask to 0 and let the specific daemon program
> decide for itself” is the conventional behaviour for Unix daemons
> everywhere I've seen. We're implementing conventional behaviour for
> Unix daemons.
Conventional behavior is fine until a good reason comes along to change the convention. I believe we have one.
>> then all who are ignorant of the trap still won't fall into it
>
> So the best I can get from that is that you'd prefer no default, and
> instead raise an exception if no umask value is specified. Yes?
No, I'd prefer a default of 077, but even an exception would be better than sticking with 0.
--
~Ethan~
More information about the python-daemon-devel
mailing list