Opened 7 years ago
Closed 7 years ago
#300 closed defect (worksforme)
insecure umask 0000 on ubuntu server
| Reported by: | mattja | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Server | Keywords: | security |
| Cc: |
Description (last modified by )
xterm started as application session on the remote server runs with umask 0000.
This has security impact as files/directories created by users are then world-writable.
Expected: some sensible default like 002 or 022.
Version: winswitch 0.12.23-1, xpra 2.1.1-r16658-1
Possible cause: winswitch server assumes umask will be set in /etc/bashrc.
That is true on Red Hat derived systems.
But it is not true on Ubuntu (tested 16.04 LTS) where I think umask is expected to be set by PAM session (pam_umask.so).
Perhaps related, the PAM file provided by /etc/pam.d/xpra
seems to assume a Red Hat style system and most of the PAM modules referenced there do not exist on a Ubuntu system.
Change History (4)
comment:1 Changed 7 years ago by
| Description: | modified (diff) |
|---|---|
| Resolution: | → invalid |
| Status: | new → closed |
comment:2 Changed 7 years ago by
Ok.. Though note the same insecure umask 0000 is applied to Tiger-VNC desktop sessions started by winswitch on Ubuntu 16.04, not using Xpra.
comment:3 Changed 7 years ago by
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
Xpra ticket: http://xpra.org/trac/ticket/1635
Unlike xpra sessions (which can integrated with systemd / loging), tigervnc sessions are started just as a regular subprocess, so they should be inheriting the umask of the winswitch server process - we don't change anything there.
I'll try to take a look.
comment:4 Changed 7 years ago by
| Resolution: | → worksforme |
|---|---|
| Status: | reopened → closed |
As per the xpra ticket, mattja's is non standard in some way as I cannot reproduce the xpra problem either.
copyleft 2009 - 2014
I believe this is an xpra bug, not winswitch, please use xpra's tracker: https://xpra.org/trac.