[sane-devel] Umask and xsane

Olaf Meeuwissen paddy-hack at member.fsf.org
Wed Aug 28 12:18:26 BST 2019

Hi Ralph,

Ralph Little writes:

> Hi,
>  On Tuesday, August 27, 2019, 6:21:54 a.m. PDT, Richard Ryniker <ryniker at alum.mit.edu> wrote:
>> When a user changes to the scanner group in order to access the scanner,
>> it would be a security fault if his images can be seen by other users in
>> the scanner group. Therefore, when using the scanner, umask should be
>> set by default to preclude access by other group members to new image
>> files. If group access is desired, the user should explicitly arrange
>> that - by change to the umask value during scanning, or to file
>> attributes after scanning.

I would think such a scanner group would not be the user's primary
group.  Any files created by XSane (or any SANE frontend or backend for
that matter) on behalf of the user should use the user's primary group,
IMNSHO, *and* honour the user's umask, no matter how odd.

# You might want to warn about an insecure/odd umask but the user calls
# the shots.

Only *device* access should be treated specially as that is controlled
by the system's administrator.

> Yes, I did consider this. Sometimes we scan sensitive images that we
> would rather others could not see.

In that case, the user should be allowed to override the current umask
with something more suitable but I definitely consider that advanced

> However, the umask used for new images is settable in preferences.

Sounds good but personally I think the user's umask should be good

> This patch changes the hard-coded umask for other artifacts such as rc
> and preferences.

As mentioned above, I think there should be no hard-coded umask.  The
umask is a user policy setting and I believe the user should have the
final word on that.

> I suppose this change would prevent a rogue "scanner" group member
> from changing another member's preferences surreptitiously thus
> potentially revealing subsequent scan files.

*User* preferences should not be saved with group set to scanner, unless
that is the user's *primary* group.

> I'm sufficiently convinced to accept the change.

Sorry, haven't looked at the patch so don't know whether it should go in
or not.

Hope this helps,
Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Software                        https://my.fsf.org/donate
 Join the Free Software Foundation              https://my.fsf.org/join

More information about the sane-devel mailing list