New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict umask to 027 except for sudo/root broken #185
Comments
because broken because this also happens for root while it should not #185
Disabled just now in git. |
What happens when you run the command
Expected is:
I don't get how this works normally on a qubes vm but not normal debian. What is the content of /etc/pam.d/common-session under qubes? Does it differ from the normal one? |
Why don't we just set this same umask for the root account too? I don't think it too much of a stretch to assume that a system admin that creates and maintains configurations files can set the file permissions manually. But if we want to keep this thing, we can just do this basically.
This would set the umask value for all non root accounts to 0077 and root to 0022. In addition to this, we should not get rid of the pam module. Keep it and set it also to 0077. It gets overriden by /etc/profile anyway, and I think (not being certain) /etc/profile does not set the umask value for system daemons whereas the pam module does that too. I can create a pull if this works. |
Root creating files not readable by "others" by default is a problem because it breaks many instructions on how to create any config files or scripts as root that exist for Linux. Not only the file creation needs to be done but also file permissions need to changed after that. For example adding an APT source would be ignored by APT because the sandboxed user under which APT is running cannot read the file. By extension it breaks many scripts / installers because these are basically just automation of "touch /etc/file", "echo something > /usr/bin/script" and so forth because these are as if root typed these commands by hand. This can involve many files and the installer doesn't inform the user about each file. Fixing file permissions after that would be very hard even for system administrators. For example, this broke derivative-maker creating an APT sources list file which then APT could not read, which was a confusing and time consuming bug to diagnose. The actual fix was just 1 line to fix the permissions so that doesn't really demonstrate the effort needed to fix it. Pretty much all tools, installers assume default umask except puppet, salt and alike. This is similar to #147 which broke a lot things which nobody could foresee. Most recent example is that it broke Calamares. /etc/profile.d isn't the right mechanism because it is ignored in more situations than I can remember now. Some only come up after an issue is happening. But situations in which /etc/profile.d is ignored include
If we cannot do this reliably so the user can trust that this works, we better shouldn't do a half implementation because a user trusting this to work could end up with a security issue when this is ignored in some environments. PAM seems to be the most suitable mechanism because it's used for all sorts of logins. |
We won't drop pam. Pam will enforce 0077 for everyone, including all these in the list. Then for the human root, we will have 0022. This is not a bug, this is what we want. The only valid concern in the list is ssh, which is also not valid, because we block this functionality anyway, as we should. A workstation should have a remote root login functionality, especially a secure one. But if desired, umask for ssh can be set separately too. |
I still think this needs to be done with PAM as this is the universal way to set this without a lot of application specific exceptions. And the PAM way hasn't been exhausted yet. This is just my general development philosophy to first exhaust the seemingly proper fix before adding lots of workarounds, hacks to accomplish the same. Because all of the exceptions, bug reports coming later are otherwise becoming a unmanageable mess. monsieuremre:
It's a universal OS. Not a desktop-only (workstation) OS.
If changing the defaults for systemd units (how to even do that?) then this could lead to a lot unforeseeable issues. So the scope in your opinion is to change default umask for both human and daemons? related: |
Make the umask 0077 for all daemons and humans, then manually set the umask 0022 for the root account for human logins. |
daemons: Did you ever see a daemon that uses insecure umask / creates files with insecure permissions? -> Please check for / report bug(s) upstream. |
I raise the same logic. Have you ever seen a daemon break because of the system umask because it doesn't set its own umask explicitly whenever its important? No? If yes, we gotta open an issue there. So this is not a blocker. |
monsieuremre:
> daemons: Did you ever see a daemon that uses insecure umask / creates files with insecure permissions? -> Please check for / report bug(s) upstream.
I raise the same logic. Have you ever seen a daemon break because of the system umask because it doesn't set its own umask explicitly whenever its important? No? If yes, we gotta open an issue there.
So this is not a blocker.
I am rejecting the burden of proof reversal in this case.
Evidence is needed that there is an issue instead. If there is an issue,
we can fix it. If there's no issue, no unnecessary system modifications
should be piled up because these might worsen maintainability.
Speaking of evidence for issues. Do you have any use case where the
current home folder lockdown and user private groups (UPGs) is
insufficient. Any cases where users created file somewhere which are
readable by 'others' while these should not be?
|
I don't mean to imply any burden of proof. I just wanted to state that it should not be a problem. And as an example to how it makes sense. Like root privileged services having temp files that are not set with good permissions is just one example. A universal solution is more inclusive than individually setting private tmp folder config for services manually one by one. |
Any specific examples? |
I am not sure what you mean by examples. But I want to at least say this once again, we should set the umask for the root account as well. I do not understand the appeal. I think setting the umask for the root is the most important of them all. Any use cases like system administration requires declaring file permissions when creating them. Any files that are installed with a package are also set with their own umasks not with roots umask. Debian also recommends settings 0077 for the root account in their securing guide. The same goes for redhat too. I think we are just better of with setting 0077 globally, and I don't think any breakage will occur at all. |
I mean sir, these problems are caused because the files are touched without specifying the file permissions, which it should have been done especially the source stuff. The apt problem is caused because there is no file at all, not because the permissions are set wrong. The tor browser is caused because the package should set file permissions but it does not. Like this can be solved within the package easily. Debian packages set file permissions dynamically. I have been using 0077 umask for all accounts and I for one have not experienced any issue so far. Of course, anecdotal evidence, means nothing. But still. |
I am afraid, that's insufficient. Also wasn't expected to cause a lot of breakage as referenced there. And if something breaks in complicated, time-consuming ways, nobody is available to pick up the pieces such as: Hence, I am careful with changes. So what's the way forward? Work with upstream. That is, a feature request against Debian and/or other Linux distributions. Purpose of such a feature request:
Non-purpose of such a feature request:
I'll be sending feature request
The packaging did everything correctly. The user didn't set correct permissions for custom configuration files in /etc. Read right for
Happened because file was not readable because not readable by |
Debian feature request: |
Yeah the cause of the problem there is noexec tho, not libpam-tmpdir. Libpam-tmpdir just makes sure that everyone can only acces their own temp files only. And if it breaks anything (it won't), than that program is very poorly written at best at malicious at worst. There is no legit reason to access other user's tmp files. |
monsieuremre:
> wasn't expected to cause a lot of breakage as referenced there. And if something breaks in complicated, time-consuming ways, nobody is available to pick up the pieces such as:
Yeah the cause of the problem there is noexec tho, not libpam-tmpdir. Libpam-tmpdir just makes sure that everyone can only acces their own temp files only. And if it breaks anything (it won't), than that program is very poorly written at best at malicious at worst. There is no legit reason to access other user's tmp files.
Problem is there's many such programs and we don't have capacity to
patch these programs upstream.
|
Currently umask is set to
027
(read, write for owner and group only).(Group is OK because Debian uses
usergroups
by default,UPG
(UserPrivateGroups)).This however should not be the case for files created by root as this is super confusing, causing issues when creating files in
/etc
(or/usr
) as these won't be readable by applications normally suppose to be able to read these running as non-root. That part is broken.Therefore unfortunately this feature has to be reverted until this can be fixed.
This was discussed before here:
The following unfortunately has to be removed.
/usr/share/pam-configs/umask-security-misc
I cannot even just out-comment it to make it easier to tinker as folder
/usr/share/pam-configs
does not support comments. Populating/etc/pam.d
from/usr/share/pam-configs
is a Debian / Ubunut feature.Command for testing:
I tried various stuff to fix it:
Session-Interactive-Only: yes
This issue is only happening in non-Qubes. Not reproducible in Qubes Debian. This might be because Qubes login session work differently. This is probably also why I did not spot this issue beforehand.
Contributing: I don't necessarily need the config snippet for
/usr/share/pam-configs
as I might be able to figure that out but the config snipped required for/etc/pam.d
would very useful.The text was updated successfully, but these errors were encountered: