Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#300 closed defect (worksforme)

insecure umask 0000 on ubuntu server — at Version 1

Reported by: mattja Owned by:
Priority: major Milestone:
Component: Server Keywords: security
Cc:

Description (last modified by Antoine Martin)

xterm started as application session on the remote server runs with umask 0000.
This has security impact as files/directories created by users are then world-writable.
Expected: some sensible default like 002 or 022.

Version: winswitch 0.12.23-1, xpra 2.1.1-r16658-1

Possible cause: winswitch server assumes umask will be set in /etc/bashrc.
That is true on Red Hat derived systems.
But it is not true on Ubuntu (tested 16.04 LTS) where I think umask is expected to be set by PAM session (pam_umask.so).

Perhaps related, the PAM file provided by /etc/pam.d/xpra
seems to assume a Red Hat style system and most of the PAM modules referenced there do not exist on a Ubuntu system.

Change History (1)

comment:1 Changed 7 years ago by Antoine Martin

Description: modified (diff)
Resolution: invalid
Status: newclosed

I believe this is an xpra bug, not winswitch, please use xpra's tracker: https://xpra.org/trac.

Note: See TracTickets for help on using tickets.