Hi Tuomas, Tuomas Haarala wrote on Fri, Apr 08, 2022 at 12:35:52PM +0000:
> Daily cronjob "/bin/sh /etc/daily" results in false positive security > notification, if root owned script (in this case, /etc/profile) has > umask considered unsafe, even if the conditions for umask execution > will not be fulfilled if the script is ran by root. [...] > --begin: /etc/profile -- > if [ "$(id -u)" -ge 1000 ] && [ "$(id -gn)" = "$(id -un)" ]; then > umask 007 > else > umask 022 > fi > --end: /etc/profile -- This is bad practice. Shell initialization files are not the place to show off excessive cleverness. To reach good levels of security, they ought to be as short, simple, and easy to understand for human readers as possible. If you want an insecure umask for a specific non-privileged account, put the desired umask into the shell initialization file of that specific account. Then again, it might be even better to only set the insecure umask for those processes that really require it rather then indiscriminately, depending on your task and threat model. > The umask detection will not happen unless preceded by beginning > of line and whitespace(s). Yes. https://man.openbsd.org/security.8#DESCRIPTION "security is a command script that examines the system for some signs of security weaknesses. It is only a security aid and does not offer complete protection. [...] The intent of the security script is to point out some obvious holes to the system administrator." Consequently, if you configure your system in very non-obvious ways, it is expected that the security(8) script can only provide aid with reduced effectiveness and accuracy. > Fix: > Preventing the false positive from being detected by having some null > function on the same line as "umask 007" is in, or writing the > conditional on single line. You appear to be fighting excessive cleverness with excessive cleverness. I guess you may eventually overcome yourself, but whether for the better or for the worse looks like an open question to me. I don't think there is anything to fix here. It makes sense to me that security(8) warns about the line "umask 007" in /etc/profile. If you want to silence the warning by saying "true && umask 007" - well it's your machine and you are free to decide how you want to configure it, even in ways that i might consider unwise. Yours, Ingo
