[PATCH] ssh: don't make the umask more permissive than the user has set
Damien Miller
djm at mindrot.org
Fri Oct 7 09:46:34 AEDT 2022
On Tue, 4 Oct 2022, Alex Henrie wrote:
> Daniel Kahn Gillmor suggested this exact change on the openssh-unix-dev
> mailing list in 2008, but I couldn't find any reply. [1]
>
> Ignoring the current umask makes it hard to fulfill the Defense
> Information Systems Agency's Security Technical Implementation Guide. In
> particular, it requires:
>
> "The Red Hat Enterprise Linux operating system must be configured so
> that all files and directories contained in local interactive user home
> directories have a mode of 0750 or less permissive." [2]
>
> "The Red Hat Enterprise Linux operating system must set the umask value
> to 077 for all local interactive user accounts." [3]
Thanks - applied with a slight tweak:
- umask(022);
+ umask(022 | umask(077));
which better matches what we do in sshd.
-d
More information about the openssh-unix-dev
mailing list