possible security issue

Ben Finney ben+python at benfinney.id.au
Wed Jul 16 04:27:22 UTC 2014 

On 15-Jul-2014, Michael Hrivnak wrote:

> The summary is that worker daemon processes in celery by default
> will change their umask to 0. Then if they create new files, those
> files will be world-writable. Looking at PEP 3143, it seems that
> python-daemon may also have a default umask of 0.

Yes, this is a specific mandate from the primary source for standard
Unix daemon behaviour. As cited in PEP 3143, the library follows “Unix
Network Programming”, W. Richard Stevens, 1994 Prentice Hall. Section
2.6 of that book details the behaviour a properly-behaving Unix daemon
should execute.

In particular:

    Reset the File Access Creation Mask

    A process inherits its file access creation mask from its parent.
    A daemon should execute:

        umask(0);

    to reset this mask. This prevents any files created by the daemon
    from having their access bits modified. …

> Zero is is not a safe or expected default.

It is the only expected default I know of; the Stevens book is the
canonical source for expected behaviour of Unix daemons, AFAIK.

> The safe default is for a process to not change its inherited umask
> unless explicitly directed to do so. Having a setting to change it
> is fine, but the default behavior should be "no change".

That would contradict the standard reference text, as far as I can see.

> The impact of this behavior is that unless a user knows to
> explicitly set a safe umask on their daemon processes, they could
> end up with world-writable files without realizing it.

I can modify the documentation to make clear that this is standard
behaviour. Can you suggest wording?

-- 
 \      “At my lemonade stand I used to give the first glass away free |
  `\          and charge five dollars for the second glass. The refill |
_o__)                            contained the antidote.” —Emo Philips |
Ben Finney <ben at benfinney.id.au>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/python-daemon-devel/attachments/20140716/f4acf97a/attachment.sig>

More information about the python-daemon-devel mailing list