oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fw: Security risk of vim swap files

From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 1 Nov 2017 10:32:41 -0600
One note on something a lot of people seem to be getting confused about:

umask is a mask that is applied to permissions when a file is created.

umask is NOT the reverse of the permissions your programs/etc are supposed
to create files with.

E.g.:

1) if I have a umask of 0002 I'm saying "never create a file that is
readable by 'other'"
2) if I have a umask of 0007 I'm saying "never create a file that is rwx by
'other'"
3) if I have a umask of 0077 I'm saying "never create a file that is rwx by
'group' or 'other'"

A umask of e.g. 0007 is NOT saying "create my files with rwxrwx----", it is
saying "remove 'rwx' from other when creating a file, I don't really care
what you do with user and group permissions"

So programs are free to create files with less permissions, e.g.
ssh-keygen, it creates files rw-r-----, minus whatever your umask is, so if
you apply a umask of 0077 you'll get files with rw-------- which is what
you' expect.

-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com
Previous By Date Next
Previous By Thread Next

Current thread: