Debian Bug report logs - #29338
Possible security hole involving umask of 022 or 002

Package: bash; Maintainer for bash is Matthias Klose <doko@debian.org>; Source for bash is src:bash (PTS, buildd, popcon).

Reported by: David Bristel <targon@targonia.com>

Date: Thu, 12 Nov 1998 05:48:03 UTC

Severity: normal

Done: Matthias Klose <doko@cs.tu-berlin.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#29338. (full text, mbox, link).

Acknowledgement sent to David Bristel <targon@targonia.com>:
New bug report received and forwarded.

Your message didn't have a Package: line at the start (in the pseudo-header following the real mail header), or didn't have a pseudo-header at all.

This makes it much harder for us to categorise and deal with your problem report; please ensure that you say which package(s) and version(s) the problem is with next time. Some time in the future the problem reports system may start rejecting such messages.

(full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: David Bristel <targon@targonia.com>
To: submit@bugs.debian.org
Subject: Possible security hole involving umask of 022 or 002
Date: Wed, 11 Nov 1998 21:37:29 -0800 (PST)
I would like to report a rather large problem I have recently encountered
with the /etc/profile and /etc/csh.login setup.  These files are set with
a umask of 022 or 002(depending on the version).  Now, many programs will
create files based on these settings.  Certain programs, such as
TinyFugue, write their config files this way.  TinyFugue includes
unencrypted passwords in the tiny.world file.  Guess what happens with the
umask of 022 or 002.  It allows read permissions for others of this file,
giving a large security hole.  By default, the umask should be set to
either 077, or 177, forcing users to manually give read permission to
anyone besides the user.  This umask problem exists in both Debian 1.3.1
and 2.0.

							David Bristel
							targon@targonia.com

Bug assigned to package `general'. Request was from "J.H.M. Dassen (Ray)" <jdassen@wi.leidenuniv.nl> to control@bugs.debian.org. (full text, mbox, link).

Bug reassigned from package `general' to `boot-floppies'. Request was from "J.H.M. Dassen (Ray)" <jdassen@wi.LeidenUniv.nl> to control@bugs.debian.org. (full text, mbox, link).

Bug reassigned from package `boot-floppies' to `bash'. Request was from Adam Di Carlo <adam@onshore.com> to control@bugs.debian.org. (full text, mbox, link).

Reply sent to Matthias Klose <doko@cs.tu-berlin.de>:
You have taken responsibility. (full text, mbox, link).

Notification sent to David Bristel <targon@targonia.com>:
Bug acknowledged by developer. (full text, mbox, link).

Message #16 received at 29338-done@bugs.debian.org (full text, mbox, reply):

From: Matthias Klose <doko@cs.tu-berlin.de>
To: 29338-done@bugs.debian.org, 29338-submitter@bugs.debian.org
Subject: closing bash bug
Date: Sun, 19 Dec 1999 16:22:56 +0100 (MET)
I do close this bug, because:

- the package used as an example is not a Debian package.
- IMHO it's a bug in the package itsself to rely on the system
  umask. The package has to care itself for correct (secure)
  installation

Message sent on to David Bristel <targon@targonia.com>:
Bug#29338. (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 27 04:02:56 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.