Re: umask not applied
Le 22/12/2011 19:21, Brad Mettee a écrit : On 12/22/2011 12:58 PM, Bastien Semene wrote: Hi list, I'm trying to apply a umask of 002 to user user (username changed for this example) while logged-in through ftpd. I used login class class (class name changed for this example) I edited /etc/login.conf and set at the bottom (there's no other entry for this user): class::umask=0002: then rebuilt the db : #cap_mkdb /etc/login.conf I assigned the user to this class: #pw usermod user -L class #pw usershow user user:*:1003:80:class:0:0:bla bla:/home/user:/bin/sh (group 80 is why I need this umask) The user still creates folders with 755 permissions through ftpd. So I switched to this user and watched the umask, it is still 0022. I tried setting the umask on the fly : $umask 0002 It works. There's no user-defined umask in ~/.login or ~/.login_conf I took care of typos and there is no error. #uname -r 8.2-RELEASE-p3 As what I read in the man pages I checked all the possibilities in the login mechanism, so if anyone has an idea it's welcome :) Thanks ! I'm not a pro FreeBSD user, but wouldn't the FTPD program be more responsible for the user's login credentials since that's what they're using that's causing the wrong permissions to be applied? From what I remember, FTPD verifies the users login, but doesn't actually execute any login scripts associated with that user. I did not said it explicitly but when I did a switch user I actually meant a su command from the shell (I deactivated user's ssh login possibility). You made me find the point about my use of the su command, I forgot to make a full login using su - user instead of su user ... So, login class applies correctly. In the ftpd(8) manual the -u documentation specifies that login.conf is read : The default file creation mode mask is set to umask, which is expected to be an octal numeric value. Refer to umask(2) for details. This option may be overridden by login.conf(5). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
umask not applied
Hi list, I'm trying to apply a umask of 002 to user user (username changed for this example) while logged-in through ftpd. I used login class class (class name changed for this example) I edited /etc/login.conf and set at the bottom (there's no other entry for this user): class::umask=0002: then rebuilt the db : #cap_mkdb /etc/login.conf I assigned the user to this class: #pw usermod user -L class #pw usershow user user:*:1003:80:class:0:0:bla bla:/home/user:/bin/sh (group 80 is why I need this umask) The user still creates folders with 755 permissions through ftpd. So I switched to this user and watched the umask, it is still 0022. I tried setting the umask on the fly : $umask 0002 It works. There's no user-defined umask in ~/.login or ~/.login_conf I took care of typos and there is no error. #uname -r 8.2-RELEASE-p3 As what I read in the man pages I checked all the possibilities in the login mechanism, so if anyone has an idea it's welcome :) Thanks ! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: umask not applied
On 12/22/2011 12:58 PM, Bastien Semene wrote: Hi list, I'm trying to apply a umask of 002 to user user (username changed for this example) while logged-in through ftpd. I used login class class (class name changed for this example) I edited /etc/login.conf and set at the bottom (there's no other entry for this user): class::umask=0002: then rebuilt the db : #cap_mkdb /etc/login.conf I assigned the user to this class: #pw usermod user -L class #pw usershow user user:*:1003:80:class:0:0:bla bla:/home/user:/bin/sh (group 80 is why I need this umask) The user still creates folders with 755 permissions through ftpd. So I switched to this user and watched the umask, it is still 0022. I tried setting the umask on the fly : $umask 0002 It works. There's no user-defined umask in ~/.login or ~/.login_conf I took care of typos and there is no error. #uname -r 8.2-RELEASE-p3 As what I read in the man pages I checked all the possibilities in the login mechanism, so if anyone has an idea it's welcome :) Thanks ! I'm not a pro FreeBSD user, but wouldn't the FTPD program be more responsible for the user's login credentials since that's what they're using that's causing the wrong permissions to be applied? From what I remember, FTPD verifies the users login, but doesn't actually execute any login scripts associated with that user. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
mkdir and umask on FreeBSD 7.2-RELEASE-p8
(Please CC. me because I'm not in freebsd-question@, thanks.)
We have a ftp site runs pure-ftpd-1.0.32 on a FreeBSD 7.2-RELEASE-p8 i386 box.
(I know 7.2 is very old, but that machine doesn't boot on later version...)
We find that the permission of newly created directory/files are always
750 and 640 (we set the umask to 022/133 for dir/file in pure-ftpd).
I try to trace the codes to figure it out. In order to find the problem,
I add some codes to print more information.
Here is the code for making a directory (FTP command MKD):
/* my codes for debugging */
fprintf(stderr, getuid: %d\n, getuid());
fprintf(stderr, original umask: %o\n, umask((mode_t)0));
fprintf(stderr, umask: %o, mode: %o\n, u_mask_d, 0777 ~u_mask_d);
/* end of my codes */
if ((mkdir(name, (mode_t) (0777 ~u_mask_d))) 0) {
#ifdef QUOTAS
(void) quota_update(quota, -1LL, 0LL, NULL);
#endif
error(550, MSG_MKD_FAILURE);
} else {
addreply(257, \%s\ : MSG_MKD_SUCCESS, name);
#ifndef MINIMAL
cwd_failures = 0UL;
#endif
}
/* my codes for debugging */
struct stat *tmp;
stat(name, tmp);
fprintf(stderr, st_mode: %o\n, tmp-st_mode);
/* end of my code */
When making the dir via ftp, the output is
getuid: 7000
original umask: 0
umask: 22, mode: 755
st_mode: 40750
I'm curious that why the st_mode is 750 not 755?
Is it normal or do I miss something?
Thanks!
Tz-Huan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: umask .ape
On 12/11/10 17:16, xinyou yan wrote: 1. In my system umask enter 022 I want to know why i do the commander umask -S it show Improper mask not u=rwx,g=. 2. anybody who know how to listen the music like .ape or flac flac will play with mplayer. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: umask .ape
On 12/11/10 17:16, xinyou yan wrote: 2. anybody who know how to listen the music like .ape or flac Any player which use libavcodec. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: umask .ape
On Sat, Dec 11, 2010 at 03:16:56PM +0800, xinyou yan wrote: 1. In my system umask enter 022 I want to know why i do the commander umask -S it show Improper mask not u=rwx,g=. 2. anybody who know how to listen the music like .ape or flac thank you ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org mplayer will actually play anything. -- Old mercenaries never die. They go to hell and regroup. With best regards, Mikle Krutov, Bercut ltd. Technical Support department ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
umask .ape
1. In my system umask enter 022 I want to know why i do the commander umask -S it show Improper mask not u=rwx,g=. 2. anybody who know how to listen the music like .ape or flac thank you ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ACLs, umask and shared directories
Hi Gary, Parts of the filesystem are written by all users - /tmp and /var/tmp. Users don't often write files there deliberately, but many programs run by the user do. With a umask of 002, one user can modify another user's file in these locations. (The sticky bit only protects against file deletion.) Also note that a user can change permissions on their home directory - the users in question are students, and a few do this accidentally every semester. With a umask of 002, and every user in the same group, your home directory is effectively world-writable! The cronjobs and so forth would work - but functional ACLs would be so much simpler :-) Thanks Rob. On 12/03/2010, at 12:52 AM, Gary Gatten wrote: Project Groups are the key. A secondary group owns the dir, only users working on that project are in that group - so 002 works. I get umask is system wide, but it should be ok if directory ownership is correct everywhere in the system and/or users know they should only put certain files in certain places. If for some reason that won't work (if you could explain why for my benefit) what about: A cron job that runs every x mins and sets perms as you wish. Ideally a daemon process would monitor the directory in question looking for opens/writes/etc, and then set perms; event driven. Lasty, maybe train the users to set perms, or have a script they can run that will do it. OR, have them create files in a temp dir and a cron job mv's them to the permanent dir and sets perms the same time? - Original Message - From: Rob list...@deathbeforedecaf.net To: Gary Gatten Cc: freebsd-questions@freebsd.org freebsd-questions@freebsd.org Sent: Thu Mar 11 05:04:28 2010 Subject: Re: ACLs, umask and shared directories Hi Gary, Directory group inheritance is the default in FreeBSD - see open(2): When a new file is created it is given the group of the directory which contains it. In SysV, this behaviour is controlled by the setgid bit. So the file has the correct group, but it's not writeable by other users unless it has g+w permissions. The way to guarantee this is to set everyone's umask to 002 - but then they can write each other's files anywhere else in the filesystem, because they're all in the same primary group. I just can't see a tidy solution. Thanks Rob. On 09/03/2010, at 10:34 AM, Gary Gatten wrote: chmod g+s ParentDirectory Files created in the dir now have the group of the dir. Not sure if this will help or not, as it appears the new files do not inherit the perms of the group, the umask still over-rides so What about a secondary group + SGID + umask 002? The users that need to edit each others files in this directory are in a secondary group (ShareMe). This same group owns the parent directory and the SGID bit is set. This should allow you to set the umask to 002 correct? Maybe? So: www1 primary group = domain_users; www1$ pwd /WorkgroupXShare drwxrws--- 4 root ShareMe 0 Mar 8 03:11 . www1$ touch file1 drwxrws--- 4 www1 ShareMe 0 Mar 8 03:11 file1 umask of 002 should give files 664 (I'd change umask to 004, group ShareMe should get rw perms, right? I think this will work? G -Original Message- From: Gary Gatten Sent: Monday, March 08, 2010 4:49 PM To: 'list...@deathbeforedecaf.net' Subject: RE: ACLs, umask and shared directories This may also work: SGID (set group ID) on a directory: in this special case every file created in the directory will have the same group owner as the directory itself (while normal behavior would be that new files are owned by the users who create them). This way, users don't need to worry about file ownership when sharing directories: G -Original Message- From: Gary Gatten Sent: Monday, March 08, 2010 4:13 PM To: Gary Gatten; 'list...@deathbeforedecaf.net' Subject: RE: ACLs, umask and shared directories What about sticky bit on the parent directory - in combination with appropriate owner and group perms. I used sticky in my ftpd solution, HOWEVER, this was on SCO Unix and sticky may have different behavior on FBSD. Worth a look though! G -Original Message- From: Gary Gatten Sent: Monday, March 08, 2010 8:25 AM To: 'list...@deathbeforedecaf.net' Subject: Re: ACLs, umask and shared directories I ran into a similar issue long ago with an ftp folder and shared files. If I recall umask solved my issue for me but understand it doesn't solve yours. If nothing else, could you write a shell script that monitors the directory/directories for writes and then sets the perms as needed? - Original Message - From: owner-freebsd-questi...@freebsd.org owner-freebsd-questi...@freebsd.org To: freebsd-questions@freebsd.org freebsd-questions@freebsd.org Sent: Mon Mar 08 06:41:03 2010 Subject: ACLs
Re: ACLs, umask and shared directories
Hi Gary, Directory group inheritance is the default in FreeBSD - see open(2): When a new file is created it is given the group of the directory which contains it. In SysV, this behaviour is controlled by the setgid bit. So the file has the correct group, but it's not writeable by other users unless it has g+w permissions. The way to guarantee this is to set everyone's umask to 002 - but then they can write each other's files anywhere else in the filesystem, because they're all in the same primary group. I just can't see a tidy solution. Thanks Rob. On 09/03/2010, at 10:34 AM, Gary Gatten wrote: chmod g+s ParentDirectory Files created in the dir now have the group of the dir. Not sure if this will help or not, as it appears the new files do not inherit the perms of the group, the umask still over-rides so What about a secondary group + SGID + umask 002? The users that need to edit each others files in this directory are in a secondary group (ShareMe). This same group owns the parent directory and the SGID bit is set. This should allow you to set the umask to 002 correct? Maybe? So: www1 primary group = domain_users; www1$ pwd /WorkgroupXShare drwxrws--- 4 root ShareMe 0 Mar 8 03:11 . www1$ touch file1 drwxrws--- 4 www1 ShareMe 0 Mar 8 03:11 file1 umask of 002 should give files 664 (I'd change umask to 004, group ShareMe should get rw perms, right? I think this will work? G -Original Message- From: Gary Gatten Sent: Monday, March 08, 2010 4:49 PM To: 'list...@deathbeforedecaf.net' Subject: RE: ACLs, umask and shared directories This may also work: SGID (set group ID) on a directory: in this special case every file created in the directory will have the same group owner as the directory itself (while normal behavior would be that new files are owned by the users who create them). This way, users don't need to worry about file ownership when sharing directories: G -Original Message- From: Gary Gatten Sent: Monday, March 08, 2010 4:13 PM To: Gary Gatten; 'list...@deathbeforedecaf.net' Subject: RE: ACLs, umask and shared directories What about sticky bit on the parent directory - in combination with appropriate owner and group perms. I used sticky in my ftpd solution, HOWEVER, this was on SCO Unix and sticky may have different behavior on FBSD. Worth a look though! G -Original Message- From: Gary Gatten Sent: Monday, March 08, 2010 8:25 AM To: 'list...@deathbeforedecaf.net' Subject: Re: ACLs, umask and shared directories I ran into a similar issue long ago with an ftp folder and shared files. If I recall umask solved my issue for me but understand it doesn't solve yours. If nothing else, could you write a shell script that monitors the directory/directories for writes and then sets the perms as needed? - Original Message - From: owner-freebsd-questi...@freebsd.org owner-freebsd-questi...@freebsd.org To: freebsd-questions@freebsd.org freebsd-questions@freebsd.org Sent: Mon Mar 08 06:41:03 2010 Subject: ACLs, umask and shared directories Hi Folks, I need to give a group of users write access to a shared directory. The problem is, when one user creates a file, www1$ touch file1 www1$ ll total 8 drwxrwxr-x 2 root domain_users 512 Mar 8 03:11 . drwxr-xr-x 4 root wheel 512 Mar 8 03:10 .. -rw-r--r-- 1 www1 domain_users0 Mar 8 03:11 file1 other users can't edit it. Solution 1 -- Change everyone's umask to 002. Unfortunately, these users are defined in Active Directory and they're all in the same primary group - 002 is not secure in this scenario. Solution 2 -- Set a default ACL on the parent directory, www1$ getfacl -d . # file: . # owner: root # group: domain_users user::rwx group::rwx mask::rwx other::r-x but it doesn't have the desired effect, www1$ touch file1 www1$ getfacl file1 # file: file1 # owner: www1 # group: domain_users user::rw- group::rwx # effective: r-- mask::r-- other::r-- as the umask seems to override it - this was confirmed by Robert Watson[1] in 2005. So does anyone have a better idea? Thanks Rob. [1] http://lists.freebsd.org/pipermail/freebsd-fs/2005-October/001382.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying
ACLs, umask and shared directories
Hi Folks, I need to give a group of users write access to a shared directory. The problem is, when one user creates a file, www1$ touch file1 www1$ ll total 8 drwxrwxr-x 2 root domain_users 512 Mar 8 03:11 . drwxr-xr-x 4 root wheel 512 Mar 8 03:10 .. -rw-r--r-- 1 www1 domain_users0 Mar 8 03:11 file1 other users can't edit it. Solution 1 -- Change everyone's umask to 002. Unfortunately, these users are defined in Active Directory and they're all in the same primary group - 002 is not secure in this scenario. Solution 2 -- Set a default ACL on the parent directory, www1$ getfacl -d . # file: . # owner: root # group: domain_users user::rwx group::rwx mask::rwx other::r-x but it doesn't have the desired effect, www1$ touch file1 www1$ getfacl file1 # file: file1 # owner: www1 # group: domain_users user::rw- group::rwx# effective: r-- mask::r-- other::r-- as the umask seems to override it - this was confirmed by Robert Watson[1] in 2005. So does anyone have a better idea? Thanks Rob. [1] http://lists.freebsd.org/pipermail/freebsd-fs/2005-October/001382.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Umask and Samba
Hi there. Having problems with create mask in samba since changing my umask in /etc/login.conf to 007. I have created a share folder in /usr/homes with mod 770. Accessing and writing/creating files/directories via ftp is as expected (-rw-rw) but when copying a file via samba I get a real mix of permissions, after many hours of playing with the create mask value in smb.conf I get typically: -rw-r--r-- -rw-r-rw-- etc Ideally I would like to create mask to be set to generate -rw-rw. Is there a way of working what the value should be? Find below a copy of my share section of smb.conf; [share] path=/usr/home/share read only=no guest ok=no create mask=0330 Thanks in advance. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Umask and Samba
On Tue, 14 Apr 2009 16:31:03 + (GMT), Andy Hiscock andyjhisc...@yahoo.com said: A Ideally I would like to create mask to be set to generate -rw-rw. A Is there a way of working what the value should be? I use this in smb.conf, which allows user/group write and world read: force create mode = 0660 force directory mode = 0775 You might be able to turn world permissions off by using: create mask = 0740 or security mask = 0770 -- Karl Vogel I don't speak for the USAF or my company Drawing on my fine command of language, I said nothing. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
default umask for Apache
Hello; I've not had to do this on a Unix system before. But now I have Apache running as nobody and have php scripts creating and writing to directories. The files it creates have the default mask rw-r-r and I want to change it to rw-rw-- so I can remove the files and dirs with group write permissions via ftp. I'm using default csh. I don't remember where to find this info in Complete FreeBSD, or other sources. so: question How do you change the default mask for a user like Apache on a Unix system? /question (I assume there is a separate default for both files and directories.) Other wise I have to manually cd into each directory, remove the files as root, cd back, remove the dir, cd to the next, etc. It could add up to hundreds of directories with multiple hundreds of files to remove. Maybe I could practice shell scripting with this, or modify the php code to unlink the files and remove the dirs. But i may need to save some for future reference. thanks in advance; JK ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: default umask for Apache
On Sun, Jul 09, 2006 at 01:19:47PM -0700, jekillen wrote: Hello; I've not had to do this on a Unix system before. But now I have Apache running as nobody and have php scripts creating and writing to directories. The files it creates have the default mask rw-r-r and I want to change it to rw-rw-- so I can remove the files and dirs with group write permissions via ftp. Could you not chmod the files / directories via your php script? See: http://php.net/manual/en/function.chmod.php question How do you change the default mask for a user like Apache on a Unix system? /question I believe you can set this via envvars -- Kelly D. Grills [EMAIL PROTECTED] pgppItvhPmZUY.pgp Description: PGP signature
changing umask in ssh
I want to be able to set some users' umask to 002 after they login via ssh. Do I have to enable UseLogin to do this from login.conf? or is there another method? The purpose for this is that I want to implement group-based write privs without having to do ACLs which would be overkill for this. So that all files created by these users (who are in the same group) would have initial permissions set to 664 so that other members of the group can write to these files. -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
umask
Hello, I have a question aboout the umask under FreeBSD. I couldn't find what it exactly is. It is something for setting files how you set the 'xrwxrwxrw' I found a file where you could chance it but don't knwo anymore what it was. I want to use this for my ftp-server with FreeBSD. I have a directory 'upload' where all my friends can put there files. They are all members of the group 'ftpusers'. But when they put a file in that directory all the other users from the group 'ftpusers' canchange or delete this file. I want to change it so that the write bit for the group is off when someonse of the ftpusers group writes something in the folder 'upload'. Can I do this with changing the umaks and how do I change that? I couldn't found any information on that. Thanks , Koen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: umask
On Wed, 16 Feb 2005 16:50:56 +0100 koen de wijs [EMAIL PROTECTED] wrote: I have a question aboout the umask under FreeBSD. I couldn't find what it exactly is. It is something for setting files how you set the 'xrwxrwxrw' I found a file where you could chance it but don't knwo anymore what it was. I want to use this for my ftp-server with FreeBSD. I have a directory 'upload' where all my friends can put there files. They are all members of the group 'ftpusers'. But when they put a file in that directory all the other users from the group 'ftpusers' canchange or delete this file. I want to change it so that the write bit for the group is off when someonse of the ftpusers group writes something in the folder 'upload'. afair normally you would : - chmod 1777 your_upload_dir (for anonymous uploads) - do *any* other permission-settings in the config of the FTP-server you're running ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
umask
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi ! In my way to learn security under FreeBSD, I was wondering if a umask of 066 in login.conf was a good or bad idea ? Any thoughs ? I mean at first, I can't seem to find why this could be wrong, but I'm sure there's a reason why the default umask is set to 022. Thanks in advance. - -- Antoine Jacoutot [EMAIL PROTECTED] http://www.lphp.org PGP/GnuPG key: http://www.lphp.org/ressources/ajacoutot.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/O5HQY3Hnhkr+5cQRArBzAJ0augtR1of8PZp4jES/0951LNtUZQCfQCjb go6GiRqK403T0rbU6fjhCdA= =pb9d -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: umask
On Thu, Aug 14, 2003 at 03:42:37PM +0200 or thereabouts, Antoine Jacoutot wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi ! In my way to learn security under FreeBSD, I was wondering if a umask of 066 in login.conf was a good or bad idea ? Any thoughs ? I mean at first, I can't seem to find why this could be wrong, but I'm sure there's a reason why the default umask is set to 022. 066 will be *more* secure than 022. This is because a umask is deducted from the default permission bits of 666 (or 777 for executables) on new files. So a umask of 022 will cause new files to have a mode of 600 or 711. Here are some good (and not-so-good) umasks, in order of least- to most-secure: * 000 (666 or 777 -- PLEASE DO NOT USE) * 022 (644 or 755 -- default) * 027 (640 or 750 -- pretty good) * 077 (600 or 700 -- most secure) Usually people don't do umasks with a 6 because this can leave *only* executable bits on some parts of the mode; this is not very useful. -- Josh Thanks in advance. - -- Antoine Jacoutot [EMAIL PROTECTED] http://www.lphp.org PGP/GnuPG key: http://www.lphp.org/ressources/ajacoutot.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/O5HQY3Hnhkr+5cQRArBzAJ0augtR1of8PZp4jES/0951LNtUZQCfQCjb go6GiRqK403T0rbU6fjhCdA= =pb9d -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: umask
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 14 August 2003 20:19, Joshua Oreman wrote: 066 will be *more* secure than 022. I know that :) This is because a umask is deducted from the default permission bits of 666 (or 777 for executables) on new files. So a umask of 022 will cause new files to have a mode of 600 or 711. Yes I know, I was just wondering why the default behaviour was not very secure. * 077 (600 or 700 -- most secure) So, if I set umask to 077, this is OK, right ? Is there ANY cons ? Thanks a lot for your answer Joshua. Antoine -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/O9QOY3Hnhkr+5cQRAnI6AJ4r4/ChIy/cDAqv2ZHrBCnDu2HotACeK5jx CBnqmfxoTPvdT4rZIUs8s0U= =sw1f -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: umask
On Thu, Aug 14, 2003 at 08:25:15PM +0200 or thereabouts, Antoine Jacoutot wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 14 August 2003 20:19, Joshua Oreman wrote: 066 will be *more* secure than 022. I know that :) This is because a umask is deducted from the default permission bits of 666 (or 777 for executables) on new files. So a umask of 022 will cause new files to have a mode of 600 or 711. Yes I know, I was just wondering why the default behaviour was not very secure. * 077 (600 or 700 -- most secure) So, if I set umask to 077, this is OK, right ? Is there ANY cons ? None of the files you create, by default, will be accessible -- at all -- to anyone but yourself. You have to watch out for this if you're running a web/ftp server when you put files in the document root, for example. Thanks a lot for your answer Joshua. No trouble. -- Josh Antoine -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/O9QOY3Hnhkr+5cQRAnI6AJ4r4/ChIy/cDAqv2ZHrBCnDu2HotACeK5jx CBnqmfxoTPvdT4rZIUs8s0U= =sw1f -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: umask
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 14 August 2003 21:12, Jez Hancock wrote: Some applications require a less strict umask to install files correctly with the right permissions - quite often you aren't warned about this either and it can be a headache finding out which file perms are incorrect. Ah, OK... this is kind of a problem indeed. Well, I don't know what to do anymore :) Maybe setting an umask of 077 only for /usr/home (using fstab) would be a good start ? If anyone has any advice about this, please feel free to tell me. Regards. - -- Antoine Jacoutot [EMAIL PROTECTED] http://www.lphp.org PGP/GnuPG key: http://www.lphp.org/ressources/ajacoutot.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/O+UNY3Hnhkr+5cQRArhKAJ4gosXbLG8/ZByBm3JXJc43bmpTnwCfUrqY GQEoGBd/AjYT4QngSVx0kqo= =Zzz7 -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: umask
On Thu, Aug 14, 2003 at 09:37:46PM +0200, Antoine Jacoutot wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 14 August 2003 21:12, Jez Hancock wrote: Some applications require a less strict umask to install files correctly with the right permissions - quite often you aren't warned about this either and it can be a headache finding out which file perms are incorrect. Ah, OK... this is kind of a problem indeed. Yes I got burnt by setting my root umask to 077 and installing a raft of apps - real nightmare finding out which apps installed perms with dodgy perms. Well, I don't know what to do anymore :) Maybe setting an umask of 077 only for /usr/home (using fstab) would be a good start ? The only gotcha there is with httpd access - if you decide to have apache read documentroot folders from under /usr/home then any files your users create in a shell won't be accessible by the www user by default. In the end I gave up and left the default umask alone, causes more problems than it solves in the 'prevention' vein. umask is perhaps more friendly when considering setting a lower umask to allow for users to create group rwx files by default. I've not used it that much tbh. :) -- Jez http://www.munk.nu/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: umask
On Thu, Aug 14, 2003 at 08:25:15PM +0200, Antoine Jacoutot wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 14 August 2003 20:19, Joshua Oreman wrote: 066 will be *more* secure than 022. I know that :) This is because a umask is deducted from the default permission bits of 666 (or 777 for executables) on new files. So a umask of 022 will cause new files to have a mode of 600 or 711. Yes I know, I was just wondering why the default behaviour was not very secure. * 077 (600 or 700 -- most secure) So, if I set umask to 077, this is OK, right ? Is there ANY cons ? Some applications require a less strict umask to install files correctly with the right permissions - quite often you aren't warned about this either and it can be a headache finding out which file perms are incorrect. -- Jez http://www.munk.nu/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: umask
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 14 August 2003 22:46, Jez Hancock wrote: Well, I don't know what to do anymore :) Maybe setting an umask of 077 only for /usr/home (using fstab) would be a good start ? The only gotcha there is with httpd access - if you decide to have apache read documentroot folders from under /usr/home then any files your users create in a shell won't be accessible by the www user by default. Well, my users don't have public html files, so this shouldn't be a problem. Thanks a lot for the feedback. Antoine -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/PAxNY3Hnhkr+5cQRAq1EAJ4oH7IQzAxP+AgtEXESirbyAxIPxACfQ3pl +asKS/C2a6aDMVDYZa6hdhg= =/CXl -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FW: A question about umask, groups and classes
** re-post ** Hi there, What I'm trying to accomplish is - to have a group of users called 'developers' - read/write access to all files created by any member of that group by each member of that group. I believe in the past I've accomplished this via a umask of 002, but I don't recall where I put that to have it automatically assigned to all users in a certain group? Also, I've stumbled on the whole login.conf stuff, which seems to speak to 'classes' of users? I've never used user classes, is this a better way to set this? Preferably, I don't want to have to set the GUID on every folder the group is jointly working on. I'd rather have all files group readable/writeable by default. Are there any reasons not to do this? Many thanks in advance, phillip. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: FW: A question about umask, groups and classes
Hi, I believe in my adventures, this successfully worked by placing the umask command in /etc/login.conf... default:\ :copyright=/etc/COPYRIGHT:\ :welcome=/etc/motd:\ [snip] :priority=0:\ :ignoretime@:\ :umask=002: Rich. | Rich Fox | [EMAIL PROTECTED] | 86 Nobska Road | Woods Hole, MA 02543 | MA 508 548 4358 | VA 703 201 6050 On Fri, 31 Jan 2003, Phillip Smith (mailing list) wrote: ** re-post ** Hi there, What I'm trying to accomplish is - to have a group of users called 'developers' - read/write access to all files created by any member of that group by each member of that group. I believe in the past I've accomplished this via a umask of 002, but I don't recall where I put that to have it automatically assigned to all users in a certain group? Also, I've stumbled on the whole login.conf stuff, which seems to speak to 'classes' of users? I've never used user classes, is this a better way to set this? Preferably, I don't want to have to set the GUID on every folder the group is jointly working on. I'd rather have all files group readable/writeable by default. Are there any reasons not to do this? Many thanks in advance, phillip. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
A question about umask, groups and classes
Hi there, What I'm trying to accomplish is - to have a group of users called 'developers' - read/write access to all files created by any member of that group I believe in the past I've accomplished this via a umask of 002, but I don't recall where I put that to have it automatically assigned to all users in a certain group? Also, I've stumbled on the whole login.conf stuff, which seems to speak to 'classes' of users? I've never used user classes, is this a better way to set this? Preferably, I don't want to have to set the GUID on every folder the group is jointly working on. I'd rather have all files group readable/writeable by default. Are there any reasons not to do this? Many thanks in advance, phillip. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Default permissions under X (umask?)
I would like to set my default permissions for X windows apps. I've set my umask for bash, which works great when I'm in a terminal, but it doesn't seem to have any effect on X apps (such as the Mozilla downloader, for example, or when I create new files with Code Crusader) Files are created rw---, which is pretty restrictive when working on the server (something like rw-rw would be more appropriate - it's what I have the umask set to in bash) Is there a way to globally set the umask for all X apps? It's very easy to forget and the other members of my team keep chewing me out. I tried calling the umask command from my .xinitrc file, but it doesn't seem to have any effect. -Bill _ STOP MORE SPAM with the new MSN 8 and get 3 months FREE*. http://join.msn.com/?page=features/junkmailxAPID=42PS=47575PI=7324DI=7474SU= http://www.hotmail.msn.com/cgi-bin/getmsgHL=1216hotmailtaglines_stopmorespam_3mf To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Default permissions under X (umask?)
Bill Moran [EMAIL PROTECTED] writes: I would like to set my default permissions for X windows apps. I've set my umask for bash, which works great when I'm in a terminal, but it doesn't seem to have any effect on X apps (such as the Mozilla downloader, for example, or when I create new files with Code Crusader) Files are created rw---, which is pretty restrictive when working on the server (something like rw-rw would be more appropriate - it's what I have the umask set to in bash) Is there a way to globally set the umask for all X apps? It's very easy to forget and the other members of my team keep chewing me out. I tried calling the umask command from my .xinitrc file, but it doesn't seem to have any effect. It *should* work -- it does for me. [Although, in my case, it's the .xsession file, because I use xdm.] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Default permissions under X (umask?)
From: Lowell Gilbert [EMAIL PROTECTED] Bill Moran [EMAIL PROTECTED] writes: I would like to set my default permissions for X windows apps. I've set my umask for bash, which works great when I'm in a terminal, but it doesn't seem to have any effect on X apps (such as the Mozilla downloader, for example, or when I create new files with Code Crusader) Files are created rw---, which is pretty restrictive when working on the server (something like rw-rw would be more appropriate - it's what I have the umask set to in bash) Is there a way to globally set the umask for all X apps? It's very easy to forget and the other members of my team keep chewing me out. I tried calling the umask command from my .xinitrc file, but it doesn't seem to have any effect. It *should* work -- it does for me. [Although, in my case, it's the .xsession file, because I use xdm.] Well, now that I'm taking a more careful look, it does ... sort of. It seems as though I've been looking at the wrong thing, the problem appears to be in the Mozilla downloader. When I save an email from Mozilla, it gets rw-rw-r--, but when I download a file, it gets rw---. I'll check the docs and Bugzilla to see if this is by design or a known issue ... if not, I'll file a bug report. Thanks for the pointer, and sorry for the noise. -Bill _ MSN 8: advanced junk mail protection and 3 months FREE*. http://join.msn.com/?page=features/junkmailxAPID=42PS=47575PI=7324DI=7474SU= http://www.hotmail.msn.com/cgi-bin/getmsgHL=1216hotmailtaglines_advancedjmf_3mf To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Default permissions under X (umask?)
It *should* work -- it does for me. [Although, in my case, it's the .xsession file, because I use xdm.] Well, now that I'm taking a more careful look, it does ... sort of. In any case, it seems like it should be set in one place which holds for both X and non-X sessions. Maybe cobbled into a shell startup file or even /etc/rc, but preferably in the login setup -- look for umask in the login.conf manpage. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
