On 8/1/2014 4:10 AM, Ben Finney wrote: > On 01-Aug-2014, Ethan Furman wrote: >> It is certainly better than the status quo, but I must admit I don't >> understand why you place more importance on following a now >> known-to-be-insecure default rather than going with a >> secure-by-default design. > > The default of “set the umask to 0” was always known to produce an > insecure program; that's exactly why there is a parameter to set an > explicitly-chosen umask value as chosen by the daemon programmer. > > The default of 0 is because there is no unambiguous, obvious single > value to set instead. The reason given in the Stevens reference is > because the programmer is assumed to know better than the library what > mode to create files with. > >> If a daemon user needs world-writable files it is not hard to change >> the daemon umask setting to 0, but by having it be something else, >> such as 077 > > There's no single umask value which makes sense by default. If you > know of one, I will need more than anecdote or personal preference, I > will need to see substantial evidence in favour of daemon programmers, > on all Unix variants Python supports, expecting *one specific* > behaviour over all others. > > Moreover, “set the umask to 0 and let the specific daemon program > decide for itself” is the conventional behaviour for Unix daemons > everywhere I've seen. We're implementing conventional behaviour for > Unix daemons. > > So that's a strong reason not to deviate from that without a clearly > better setting — and “something else, such as foo” is not a clear > mandate for that specific value. > >> then all who are ignorant of the trap still won't fall into it > > So the best I can get from that is that you'd prefer no default, and > instead raise an exception if no umask value is specified. Yes?
I do think raising an exception if no umask were supplied would be preferable to an insecure default, even one that's documented as such. I realize you're looking for more than random opinions, but I'm not sure where you'd find that. But here's my random opinion: 077 would be a reasonable default. I've read Stevens (and my claim to fame: answered a question of his on a mailing way back in the day), and frankly the insecure umask issue completely escaped me. Eric. _______________________________________________ python-daemon-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-daemon-devel
