Re: [PATCH] STIG: The system default umask in /etc/login.defs must be 077

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kang Kai <Kai.Kang@windriver.com>
To: Alexandru Moise <alexandru.moise@windriver.com>,
	<openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH] STIG: The system default umask in /etc/login.defs must be 077
Date: Thu, 14 Jul 2016 15:47:43 +0800	[thread overview]
Message-ID: <5787439F.5050701@windriver.com> (raw)
In-Reply-To: <1459962072-11756-1-git-send-email-alexandru.moise@windriver.com>

On 2016年04月07日 01:01, Alexandru Moise wrote:
> The umask value influences the permissions assigned to files when they
> are created. A misconfigured umask value could result in files with
> excessive permissions that can be read and/or written to by unauthorized
> users.
>
> Also modify /etc/profile in base-files because the /etc/profile file
> overloads the behavior of /etc/login.defs, so if we desire the
> functionality provided by setting umask to 077 we should set it in
> login.defs to adhere to STIG but also set it in /etc/profile to have the
> intended functionality.
>
> Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
> ---

Ping.


>   meta/recipes-core/base-files/base-files/profile    |  2 +-
>   ...stem-default-umask-in-etc-login.defs-to-0.patch | 29 ++++++++++++++++++++++
>   meta/recipes-extended/shadow/shadow.inc            |  1 +
>   3 files changed, 31 insertions(+), 1 deletion(-)
>   create mode 100644 meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch
>
> diff --git a/meta/recipes-core/base-files/base-files/profile b/meta/recipes-core/base-files/base-files/profile
> index 53c2680..f48a3c0 100644
> --- a/meta/recipes-core/base-files/base-files/profile
> +++ b/meta/recipes-core/base-files/base-files/profile
> @@ -32,5 +32,5 @@ fi
>   
>   export PATH PS1 OPIEDIR QPEDIR QTDIR EDITOR TERM
>   
> -umask 022
> +umask 077
>   
> diff --git a/meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch b/meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch
> new file mode 100644
> index 0000000..c0d6ee7
> --- /dev/null
> +++ b/meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch
> @@ -0,0 +1,29 @@
> +From dd2295715fabd823f01656cef0393cedc5a4bc34 Mon Sep 17 00:00:00 2001
> +From: Alexandru Moise <alexandru.moise@windriver.com>
> +Date: Wed, 6 Apr 2016 05:45:58 +0000
> +Subject: [PATCH] STIG: set system default umask in /etc/login.defs to 077
> +
> +Conform to STIG standard:
> +https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38645
> +
> +Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
> +---
> + etc/login.defs | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/etc/login.defs b/etc/login.defs
> +index 8dd7c44..e2a8a65 100644
> +--- a/etc/login.defs
> ++++ b/etc/login.defs
> +@@ -190,7 +190,7 @@ KILLCHAR	025
> + # 022 is the default value, but 027, or even 077, could be considered
> + # for increased privacy. There is no One True Answer here: each sysadmin
> + # must make up his/her mind.
> +-UMASK		022
> ++UMASK		077
> +
> + #
> + # Password aging controls:
> +--
> +2.5.0
> +
> diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
> index 4313ffe..9337493 100644
> --- a/meta/recipes-extended/shadow/shadow.inc
> +++ b/meta/recipes-extended/shadow/shadow.inc
> @@ -16,6 +16,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \
>              file://fix-installation-failure-with-subids-disabled.patch \
>              file://0001-Do-not-read-login.defs-before-doing-chroot.patch \
>              file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
> +	   file://0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch \
>              ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
>              "
>   


-- 
Regards,
Neil | Kai Kang

     prev parent reply	other threads:[~2016-07-14  7:47 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-04-06 17:01 [PATCH] STIG: The system default umask in /etc/login.defs must be 077 Alexandru Moise
2016-07-14  7:47 ` Kang Kai [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5787439F.5050701@windriver.com \
    --to=kai.kang@windriver.com \
    --cc=alexandru.moise@windriver.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.