RFE: global umask support #901
Comments
|
This sounds like it would make a mess. If anything can be hardened, it should be, but just setting this globally will surely confuse daemons that expect the current default, no? |
|
I would give administrator freedom what approach he wants to take. I personally would harden the umask globally and for daemons which would not like it I could go back to the original umask by adding UMask to the service file. |
|
Every now and then I wish global configuration snippet that is included into every unit. That would cover this nicely. |
|
I am really not convinced that having a global default option for the umask here would be a good idea. This really interferes with the execution context for services, and we should really guarantee a fixed, documented default for this for all services, so that unit files are portable between installations and software doesn't break in unexpected ways because umask defaults to different values in different installations. Also, many daemons override the umask anyway, hence making this configurable has a questionnable effect anyway... So, I don't think we want this, sorry! @arvidjaar we initially had plans of allowing a global per-unit-type include file for setting defaults, but after discussing this a couple of times we came to the conclusion that we should probably not do that. One reason is the one mentioned above, but another one is that a couple of the global options should be defaults for units, but others should also apply to PID 1. We thus decided to expose the global options in system.conf explicitly and do this on a per-case basis, where it makes sense. For example, we exposed CapabilityBoundingSet= as something that applies to PID 1 and the children, CPUAffinitey= similar, but DefaultLimitCPU= and friends only applies to forked of services, not to PID 1 itself... Basically the ones carrying "Default" in the name are the ones that are just defaults for units, but do not apply to PID 1, but the ones without it apply to all process including PID 1... Anyway, long story short, I am happy to expose more global options in system.conf, but I'd really like to do this on a per-case basis, and firstly ensure that the option is an option where it really makes sense to have a global default, and secondly ensure that if we expose it we think long enough about whether it should apply to PID 1 and the daemons, or just the daemons. Hope that makes sen. @arvidjaar Are you missing any options you'd like to set globally? Closing this bug now, since I am really not convinced that UMask= should be one that should be globally configurable. |
I actually thought about it as a mean to add global dependency (sort of "this unit starts before everything else") but I realize this probably will not work anyway. |
|
@poettering The global umask of a system needs to be decided by policy, not by a compiled-in default. Right now, there seems to be no way to make that policy decision because systemd does not support setting the default umask. Instead, it enforces 022 as the only, globally valid umask and defers implementing different policies to each service. It is easy to see how that fails, just by looking at the various invocations of umask in all sorts of shell startup and configuration files. Basically, it is a total mess because shells often come with global initialization files which set some umask (often 022, but then sometimes not). |
|
fwiw → https://bugzilla.gnome.org/show_bug.cgi?id=780622#c44 → where security issue is mentioned And → https://bugzilla.gnome.org/show_bug.cgi?id=780622#c49 → in fedora we're going to start adding pam_umask to the default pam configuration so admins can edit /etc/login.defs |
With upstart and RHEL6 you could set default umask for spawned services globally. This made it easy to harden all system services . Current workaround is to set umask for all daemons and copy the service files to /etc what is a bit cumbersome.
Would be nice if the default 022 umask could be altered globally.
The text was updated successfully, but these errors were encountered: