Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH8yC8mWjOFAPe==ceGEfe=1sGpaicMRPwzdET61D04bJFa6fA@mail.gmail.com>
Date: Wed, 7 Oct 2020 22:09:43 -0400
From: Jeffrey Walton <noloader@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Debian FEATURE: /home/loser is with permissions
 755, default umask 0022

On Wed, Oct 7, 2020 at 3:20 PM Jeremy Stanley <fungi@...goth.org> wrote:
>
> On 2020-10-07 21:00:35 +0300 (+0300), Georgi Guninski wrote:
> > https://lists.debian.org/debian-security/2020/10/msg00000.html
> >
> > ===
> > /home/loser is with permissions 755, default umask 0022
> > on multiuser machines this sucks much.
> >
>
> It's tradition that on multi-user systems, users would want to share
> data with one another and also serve content from their home
> directories in Web sites. Further, it's not at all uncommon for
> sysadmins to not understand or consider the system defaults when
> making deployment decisions and failing to secure sensitive files.
>
> As a long-time Debian user myself, I agree that this default is
> showing its age, and can represent a risk for operators who overlook
> it.

Microsoft has an elegant solution with Bypass Traverse Checking
(SeChangeNotifyPrivilege). It allows an admin to deny access to
/home/loser, but allow access to /home/loser/www. Instead of a
permission check working down the hierarchy, just the www object is
checked.

Jeff

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.