On 08/01/2014 01:10 AM, Ben Finney wrote:
On 01-Aug-2014, Ethan Furman wrote:
The default of “set the umask to 0” was always known to produce an
insecure program;
Known by whom? I certainly didn't know it.
The default of 0 is because there is no unambiguous, obvious single
value to set instead. The reason given in the Stevens reference is
because the programmer is assumed to know better than the library what
mode to create files with.
And when the programmer doesn't, why should the default be to create a security
hole?
If a daemon user needs world-writable files it is not hard to change
the daemon umask setting to 0, but by having it be something else,
such as 077
There's no single umask value which makes sense by default.
And yet you are fighting to keep the single default value that creates the
biggest security hole.
Moreover, “set the umask to 0 and let the specific daemon program
decide for itself” is the conventional behaviour for Unix daemons
everywhere I've seen. We're implementing conventional behaviour for
Unix daemons.
Conventional behavior is fine until a good reason comes along to change the
convention. I believe we have one.
then all who are ignorant of the trap still won't fall into it
So the best I can get from that is that you'd prefer no default, and
instead raise an exception if no umask value is specified. Yes?
No, I'd prefer a default of 077, but even an exception would be better than
sticking with 0.
--
~Ethan~
_______________________________________________
python-daemon-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-daemon-devel
