On Wed, Oct 15, 2008 at 4:12 PM, Dan Anderson <opensolaris at drydog.com> wrote:
> First, the umask should be set in /opt/SUNWjass/Drivers/user.init, not
> finish.init. If you change it in finish.init, it might be wiped-out from
> patches or upgrades to JASS/SST.
Fixed this. In my user.init, copied from the SAMPLE, I appended:
JASS_UMASK="027"
>
> The value is set in /etc/default/{init,profile}, the root .login and profile
> files and the /etc/skel/local.* files by set-system-umask.fin
> set-user-umask.fin
All these are good, umaks 027 like I expected. However, in /root:
# head .cshrc
#
# This file is installed by JASS. This is a sample file
# that can be adapted as needed.
umask 022
# head .profile
#
# Copyright (c) 2000-2002 by Sun Microsystems, Inc.
# All rights reserved.
#
#ident "@(#).profile 1.5 02/04/12 SMI"
#
umask 022
There are empty .cshrc.JASS.date and .profile.JASS.date
So, something is allowing JASS to write the final user umask as 022 in
.cshrc and .profile.
Also, may I ask why sendmail isn't shut-up by default?
CT
>
> You can also run SST in audit mode to verify the changes have been made:
> /opt/SUNWjass/bin/jass-execute -a secure.driver
> (besides inspecting the files above by hand).
>
> My guess is that the problem you're having is some non-root user account is
> overriding the umask in its .login, .profile. .bashrc, .kshrc, .dtlogin, or
> similar startup file.
> --
> This message posted from opensolaris.org
> _______________________________________________
> security-discuss mailing list
> security-discuss at opensolaris.org
>
