On 04/05/2016 01:33 AM, Robert Storey wrote: >>> I'm getting a bit uncomfortable about starting this thread, because upon >>> reflection, it seems that one consequence of setting the system-wide may >>> be that the 027 umask will end up having some system account creating a >>> file that should be world-readable or world-executable, but because of >>> the umask, it now would not be, and so would break stuff. My intent was >>> to protect data of one user from other users, which could be done by >>> making the change in .profile or even in the default .bashrc. >>> >> >> I was actually waiting for somebody to realise this before answering >> your email. In a "Universal OS" there is much more than the >> preferences of single specific users, or specific applications, or >> specific environments. There is the necessity to accommodate a huge >> number of different scenarios and use cases. In short, that's why you >> have the umask set by default to 022. Any user can change this >> behaviour to a more restrictive one, if they need so. > > Yes indeed - permission errors are among the most common difficulties that > inexperienced users encounter when they first start with Linux. Long ago, I > tried setting my own umask to 077, thinking that it would enhance my > security. Didn't occur to me until later that it broke all the web pages I > created and uploaded to my site, since no one but me could read them. Once > I realized it, I was able to fix the problem with chmod, but it was easy > enough to forget to do that when creating a new page, and I eventually > decided the only sane solution was to go back to umask 022, which was the > default. > > I ran into the above problem after I'd been using Linux for about five > years, and I understood the cause once somebody complained to me that he > couldn't read my site even though I still could. However, had I run into > this difficulty earlier in my Linux career, I probably would not have been > able to figure out the cause, and would have concluded that "Linux is no > good." So I favor keeping the default umask at 022, and let users tweak > their own .bashrc and .profile if they want more restrictive security. > > cheers, > Robert You and others on the list misunderstood my comment. I stand by my original proposal to change the /etc/profile to either 027 or 077, for the benefit of user accounts. My reservations arose when someone else on the list 'corrected' me and suggesting applying that to pam_session which I understand would apply it to system accounts also. On a multi-user system like in real life your 'stuff' should be private until you decide to make it public.
-- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0 _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
