6397046 2001-04-20 15:41 -0500 /40 rader/ Drew Jones <drewj@DOR1.LIB.UNI.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-22 20:46 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: drewj@DOR1.LIB.UNI.EDU
Mottagare: Bugtraq (import) <16702>
Ärende: Redhat 7 insecure umask
------------------------------------------------------------
From: Drew Jones <drewj@DOR1.LIB.UNI.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200104202041.PAA01007@dor1.lib.uni.edu>
Problem:
Users of Redhat 7 may have their umask set insecurely while acting as root.
Severity:
Medium/Low
Description:
The Redhat useradd script creates a group for the new user with the
same name as the username by default. When the user logs in, any
shell that uses /etc/profile will set the umask to 002 if the user's
username and groupname match and their uid is greater than 14. If
the user then issues su to become root without specifying the -l
option the root account inherits the umask of 002. As root the user
may then create files with somewhat insecure permissions. Redhat
seemed to understand that system users should have a umask of 022,
because /etc/profile will set the umask that way for users loging in
with a uid less than 14, but they forgot about su.
The offending lines in /etc/profile:
...
if [ `id -gn` = `id -un` -a `id -u` -gt 14 ]; then
umask 002
else
umask 022
fi
...
The fix:
Get rid of the if-statement in /etc/profile and replace it with
'umask 022' (no quotes).
Andrew Jones
-------------
Computer Science and Physics student at the University of Northern Iowa
(6397046) /Drew Jones <drewj@DOR1.LIB.UNI.EDU>/(Ombruten)
Kommentar i text 6403655 av Rebecca Kastl <rkastl@NEOHAPSIS.COM>
Kommentar i text 6404043 av Jim Knoble <jmknoble@JMKNOBLE.CX>
6403655 2001-04-22 14:30 -0500 /37 rader/ Rebecca Kastl <rkastl@NEOHAPSIS.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-23 23:36 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: rkastl@NEOHAPSIS.COM
Mottagare: Bugtraq (import) <16724>
Kommentar till text 6397046 av Drew Jones <drewj@DOR1.LIB.UNI.EDU>
Ärende: Re: Redhat 7 insecure umask
------------------------------------------------------------
From: Rebecca Kastl <rkastl@NEOHAPSIS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.30.0104221420060.16293-100000@7of9.neohapsis.com>
On Fri, 20 Apr 2001, Drew Jones wrote:
> Problem:
> Users of Redhat 7 may have their umask set insecurely while acting
> as root.
>
> Description:
> ...When the user logs in, any shell that uses /etc/profile will set
> the umask to 002 if the user's username and groupname match and their
> uid is greater than 14. If the user then issues su to become root
> without specifying the -l option the root account inherits the umask
> of 002.... Redhat seemed to understand that system users should have a
> umask of 022, because /etc/profile will set the umask that way for
> users loging in with a uid less than 14, but they forgot about su.
Maybe I'm missing something here, but isn't the "problem" with su, not
/etc/profile?
From the su man page:
-, -l, --login
make the shell a login shell
If the shell is not a login shell, then /etc/profile nor any .*shrc
scripts are processed -- you merely assume the UID of the account you
are su'ing to. To assume the complete environment of the account you
wish to impersonate, then you have to specify '-' or '-l' so that
environmental scripts are processed.
--Rebecca Kastl
(6403655) /Rebecca Kastl <rkastl@NEOHAPSIS.COM>/(Ombruten)
Kommentar i text 6409015 av Rebecca Kastl <rkastl@NEOHAPSIS.COM>
Kommentar i text 6409039 av Warren Young <warren@ETR-USA.COM>
6409015 2001-04-24 12:37 -0500 /36 rader/ Rebecca Kastl <rkastl@NEOHAPSIS.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-25 07:11 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: rkastl@NEOHAPSIS.COM
Mottagare: Bugtraq (import) <16756>
Kommentar till text 6403655 av Rebecca Kastl <rkastl@NEOHAPSIS.COM>
Ärende: Re: Redhat 7 insecure umask
------------------------------------------------------------
From: Rebecca Kastl <rkastl@NEOHAPSIS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.30.0104241200250.22781-100000@7of9.neohapsis.com>
On Sun, 22 Apr 2001, Rebecca Kastl wrote:
> From the su man page:
>
> -, -l, --login
> make the shell a login shell
>
> If the shell is not a login shell, then /etc/profile nor any .*shrc
> scripts are processed
Correction: In the case of bash, if the '-' or '-l' option to 'su'
is not specified, then /etc/profile and ~/.bash_profile are not
executed. The same holds true for ksh and sh in regards to
/etc/profile and ~/.profile, and /etc/profile and ~/.login for csh.
In the case of bash, /etc/bashrc and ~/.bashrc, and in the case of csh,
~/.cshrc will be processed, regardless.
In reference to the specific "problem" of su, the same holds true
even if one simply calls a shell without specifying that it be a
login shell. So the problem isn't even specifically related to su --
it comes down to simply setting the 'umask' value appropriately and
having an understanding of how such values are handled depending on
your platform.
To paraphrase something a friend once told me, "being a [UNIX
administrator] is not an entry level skill, but it can easily be an
exit level skill." Stay awake, stay employed.
--Rebecca Kastl
(6409015) /Rebecca Kastl <rkastl@NEOHAPSIS.COM>/(Ombruten)
6409039 2001-04-24 09:13 -0600 /28 rader/ Warren Young <warren@ETR-USA.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-25 07:33 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: warren@ETR-USA.COM
Mottagare: Bugtraq (import) <16759>
Kommentar till text 6403655 av Rebecca Kastl <rkastl@NEOHAPSIS.COM>
Ärende: Re: Redhat 7 insecure umask
------------------------------------------------------------
From: Warren Young <warren@ETR-USA.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3AE59822.41137804@etr-usa.com>
Rebecca Kastl wrote:
>
> On Fri, 20 Apr 2001, Drew Jones wrote:
>
> > Problem:
> > Users of Redhat 7 may have their umask set insecurely while acting
> > as root.
>
> Maybe I'm missing something here, but isn't the "problem" with su, not
> /etc/profile?
su(1) on AT&T-derived Unixes fix this: there's a file
/etc/defaults/su (IIRC) which sets certain user defaults whether you
do "su -" or just plain "su". I've used both, but I think I prefer
the Red Hat way: it's more predictable because you know that without
the - you keep your current environment, and with it you overwrite
your current environment with the target user's. With the AT&T way,
you don't know with plain "su" what your environment will look like
without looking at /etc/defaults/su first.
--
Warren
(6409039) /Warren Young <warren@ETR-USA.COM>/(Ombruten)
6404043 2001-04-22 17:05 -0400 /116 rader/ Jim Knoble <jmknoble@JMKNOBLE.CX>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-24 03:09 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: jmknoble@jmknoble.cx
Mottagare: Bugtraq (import) <16732>
Kommentar till text 6397046 av Drew Jones <drewj@DOR1.LIB.UNI.EDU>
Ärende: Re: Redhat 7 insecure umask
------------------------------------------------------------
Circa 2001-Apr-20 15:41:05 -0500 dixit Drew Jones:
: Problem:
: Users of Redhat 7 may have their umask set insecurely while acting
: as root.
Red Hat has documented its "user-private group" scheme with 002 umask,
and its rationale, since at least 1995. Current documentation of that
for Red Hat Linux 7.1 is here:
http://www.redhat.com/support/manuals/RHL-7.1-Manual/ref-guide/s1-users-groups-private-groups.html
This advisory implies that this is something new with Red Hat Linux
7.x; on the contrary, this practice dates back to at least Red Hat
Linux 2.1 from November 1995.
: Severity:
: Medium/Low
:
: Description:
: The Redhat useradd script creates a group for the new user with the
: same name as the username by default. When the user logs in, any
: shell that uses /etc/profile will set the umask to 002 if the user's
: username and groupname match and their uid is greater than 14. If
: the user then issues su to become root without specifying the -l
: option the root account inherits the umask of 002. As root the user
: may then create files with somewhat insecure permissions. Redhat
: seemed to understand that system users should have a umask of 022,
: because /etc/profile will set the umask that way for users loging in
: with a uid less than 14, but they forgot about su.
:
: The offending lines in /etc/profile:
: ...
: if [ `id -gn` = `id -un` -a `id -u` -gt 14 ]; then
: umask 002
: else
: umask 022
: fi
: ...
I wouldn't call these "offending". They actually work, just not for
'su'. Perhaps "the partially effective lines in /etc/profile" or even
"The relevant lines in /etc/profile" would be a more accurate way of
saying it.
: The fix:
: Get rid of the if-statement in /etc/profile and replace it with
: 'umask 022' (no quotes).
That fix, while effective, will negate the user-private group scheme.
Any one of the following solutions will work for default
configurations of Red Hat Linux without negating the user-private
group scheme:
(1) [All versions of Red Hat Linux up to and including 7.1]
In /root/.bashrc:
umask 0022
Since both bash-1.x and 2.x read and execute ~/.bashrc when a
shell is interactive, regardless of whether it's a login shell,
this will work for all cases where root's shell is /bin/bash
(the default system setting).
If root's shell is something other than /bin/bash, either change
root's shell back to the default setting of /bin/bash, or modify
the other shell's initialization files accordingly.
(2) [All versions of Red Hat Linux from Red Hat Linux 4.2 up to and
including 7.1; may apply to older versions as well]
In /etc/bashrc, duplicate the partially effective 'if' statement
from /etc/profile listed above.
By default in Red Hat Linux, ~/.bashrc files (both /root/.bashrc
and /etc/skel/.bashrc) read /etc/bashrc. This performs the same
umask setting for interactive-but-non-login shells that the one
in /etc/profile does for login shells.
If root's shell is something other than the default /bin/bash,
either change root's shell back to /bin/bash, or modify the
other shell's initialization files accordingly.
(3) [All versions of Red Hat Linux up to and including 7.1]
su
cd /bin
mv su su.bare
cat >su <<EOF
#!/bin/sh
umask 0022
exec /bin/su.bare "$@"
EOF
chmod 0755 su
(4) [All versions of Red Hat Linux up to and including 7.1]
Use sudo instead of su:
http://www.courtesan.com/courtesan/products/sudo/
sudo allows the default umask to be configured using the
'Default umask' directive in /etc/sudoers; for example:
Default umask = 0022
If unspecified, the default umask is whatever was configured
when sudo was built.
Cheers.
-- jim knoble | jmknoble@jmknoble.cx | http://www.jmknoble.cx/
(GnuPG fingerprint:
31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
(6404043) /Jim Knoble <jmknoble@JMKNOBLE.CX>/(Ombruten)
Bilaga (application/pgp-signature) i text 6404044
6404044 2001-04-22 17:05 -0400 /10 rader/ Jim Knoble <jmknoble@JMKNOBLE.CX>
Importerad: 2001-04-24 03:09 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: jmknoble@jmknoble.cx
Mottagare: Bugtraq (import) <16733>
Bilaga (text/plain) till text 6404043
Ärende: Bilaga till: Re: Redhat 7 insecure umask
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (Linux)
Comment: finger jmknoble@pobox.com for GnuPG public key
iEYEARECAAYFAjrjR4MACgkQKJ/qqBOBFJH0SgCglwmejjW9dgmojMkDRGIHPiOG
/KAAn366IvBV17ImKxMY2JK/46pKcQeA
=f5nF
-----END PGP SIGNATURE-----
(6404044) /Jim Knoble <jmknoble@JMKNOBLE.CX>/-------