root's umask and mozilla-1.7.3
This is a discussion on root's umask and mozilla-1.7.3 within the Slackware Linux Support forums, part of the Unix Operating Systems category; --> I have found a funny thing with Slackware 10.0 and mozilla-1.7.3. Suppose root has umask 077 (as is often ...
| |||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-19-2008, 04:13 PM
| ||||
| ||||
 root's umask and mozilla-1.7.3 I have found a funny thing with Slackware 10.0 and mozilla-1.7.3. Suppose root has umask 077 (as is often suggested in security HOWTOs). Suppose next that root is the first to start mozilla after Slack is installed and upgraded. Then noone but root will be able to start mozilla ... because mozilla creates a file /usr/lib/mozilla-1.7.3/chrome/chrome.rdf and a directory /usr/lib/mozilla-1.7.3/chrome/overlayinfo with subdirectories, which can only be read by root :-) I guess an even more interesting situation takes place if /usr is mounted read-only (as is also sometimes suggested) :-) Regards, Mikhail      |
|
02-19-2008, 04:13 PM
| ||||
| ||||
| Re: root's umask and mozilla-1.7.3 Mikhail Zotov wrote: >I have found a funny thing with Slackware 10.0 and mozilla-1.7.3. >Suppose root has umask 077 (as is often suggested in security >HOWTOs). Suppose next that root is the first to start mozilla >after Slack is installed and upgraded. Then noone but root will >be able to start mozilla ... because mozilla creates a file >/usr/lib/mozilla-1.7.3/chrome/chrome.rdf and a directory >/usr/lib/mozilla-1.7.3/chrome/overlayinfo with subdirectories, >which can only be read by root :-) > >I guess an even more interesting situation takes place if /usr is >mounted read-only (as is also sometimes suggested) :-) > >Regards, >Mikhail > > One of the cautions you see when folks suggest "safe" system-wide umask settings is that there is a balance between safety and usability. Assuming that users are aware and practice good password practices, that passwords expire periodically, that special-purpose group identities are created and users are assigned to them on a "need to know" basis, and that a system has to be usable, a standard umask value of 022 (or 0022, which is the same thing) is more than workable in the real world (I work in a Sun farm of some 40+ large servers, 022 is the standard mask, and we've done pretty well with that for decades). The scenario you've given is just one of the many reasons that going overboard can be, well, painful might be adequate. Manage your user accounts, manage your group accounts, set your mask to 022 and get on it: you'll be happier and so will the folks using the system. |
Linear Mode
