[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [lmi] Is 'chmod 771' merely silly, yet not harmful?
|
From: |
Vadim Zeitlin |
|
Subject: |
Re: [lmi] Is 'chmod 771' merely silly, yet not harmful? |
|
Date: |
Tue, 18 Feb 2020 00:27:30 +0100 |
On Mon, 17 Feb 2020 23:12:34 +0000 Greg Chicares <address@hidden> wrote:
GC> On 2020-02-16 23:37, Vadim Zeitlin wrote:
GC> > On Sun, 16 Feb 2020 21:50:37 +0000 Greg Chicares <address@hidden> wrote:
GC> >
GC> > GC> Invoking 'install_redhat.sh' causes these commands to be executed:
GC> > GC>
GC> > GC> mkdir -p /srv/chroot/"${CHRTNAME}"
GC> > GC> chgrp lmi /srv/chroot/"${CHRTNAME}"
GC> > GC> chmod 2770 /srv/chroot/"${CHRTNAME}"
GC> > GC> umask 0007
GC> >
GC> > I'm curious, what's the reason for using such restrictive umask for the
GC> > "other" users, especially knowing that they aren't supposed to be any?
GC>
GC> If I spent an hour reading about coronavirus, and I had a face mask
GC> handy, I might start wearing it. (If I had read just enough, that is,
GC> to be ill informed; with more thorough knowledge, I'd realize that
GC> the main benefit of a face mask is to make an already-infected wearer
GC> less likely to infect others.)
GC>
GC> In this case, I read some articles claiming that a default 022 umask
GC> is too liberal, and 027 is more secure. Accordingly, I chose 007 here
GC> instead of 002. But tell me if you'd prefer 002 and I'll make it so.
I don't really have any preferences here, considering that you're telling
me that there are not going to be any other users on this system anyhow.
FWIW I also don't believe in relying on umask for security on really
multiuser systems, IMO setting 0700 mode on your home directory is both
enough and better anyhow. But OTOH I can't imagine any problems due to
using this umask on this system neither.
Sorry for this non-answer but I really struggle to think of any reason to
either endorse or object to using this umask.
VZ
pgpRFm7ogCPdK.pgp
Description: PGP signature