Task #7957: umask: enable by default - Suricata - Open Information Security Foundation

Actions

Copy link

Task #7957

open

Task #7952: tracking: CWE-732: File created without restricting permissions

umask: enable by default

Added by Victor Julien 4 days ago. Updated about 6 hours ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

9.0.0-beta1

Effort:

Difficulty:

Label:

Description

By default no umask is set, and it is set by the shell. We should probably set it by default to something restrictive.

There seems to be no easy way for a process to know it's umask w/o also modifying it:

       It  is  impossible to use umask() to fetch a process's umask without at the same time changing it.  A second
       call to umask() would then be needed to restore the umask.  The nonatomicity of these two steps provides the
       potential for races in multithreaded programs.

(from the man 2 umask manpage)

So we could just set something restrictive like 0600 by default.

History
Notes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Task #7957

umask: enable by default

Updated by Jason Ish about 6 hours ago