Project

General

Profile

Actions
Copy link

Task #7957

open

Task #7952: tracking: CWE-732: File created without restricting permissions

umask: enable by default

Added by Victor Julien 4 days ago. Updated about 6 hours ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

By default no umask is set, and it is set by the shell. We should probably set it by default to something restrictive.

There seems to be no easy way for a process to know it's umask w/o also modifying it:

       It  is  impossible to use umask() to fetch a process's umask without at the same time changing it.  A second
       call to umask() would then be needed to restore the umask.  The nonatomicity of these two steps provides the
       potential for races in multithreaded programs.

(from the man 2 umask manpage)

So we could just set something restrictive like 0600 by default.

Actions
Copy link
 #1

Updated by Jason Ish about 6 hours ago

So we could just set something restrictive like 0600 by default.

So a umask of 0077.

Packages that setup permissions correctly might want to use 0027 as this would allow users of the suricata group read access to files generated by Suricata, reducing the need for root access by additional tooling.

Actions
Copy link

Also available in: Atom PDF