On Tue, 4 Oct 2022, Alex Henrie wrote:
> Daniel Kahn Gillmor suggested this exact change on the openssh-unix-dev
> mailing list in 2008, but I couldn't find any reply. [1]
>
> Ignoring the current umask makes it hard to fulfill the Defense
> Information Systems Agency's Security Technical Implementation Guide. In
> particular, it requires:
>
> "The Red Hat Enterprise Linux operating system must be configured so
> that all files and directories contained in local interactive user home
> directories have a mode of 0750 or less permissive." [2]
>
> "The Red Hat Enterprise Linux operating system must set the umask value
> to 077 for all local interactive user accounts." [3]
Thanks - applied with a slight tweak:
- umask(022);
+ umask(022 | umask(077));
which better matches what we do in sshd.
-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> Daniel Kahn Gillmor suggested this exact change on the openssh-unix-dev
> mailing list in 2008, but I couldn't find any reply. [1]
>
> Ignoring the current umask makes it hard to fulfill the Defense
> Information Systems Agency's Security Technical Implementation Guide. In
> particular, it requires:
>
> "The Red Hat Enterprise Linux operating system must be configured so
> that all files and directories contained in local interactive user home
> directories have a mode of 0750 or less permissive." [2]
>
> "The Red Hat Enterprise Linux operating system must set the umask value
> to 077 for all local interactive user accounts." [3]
Thanks - applied with a slight tweak:
- umask(022);
+ umask(022 | umask(077));
which better matches what we do in sshd.
-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev