Page MenuHomePhabricator
Create Task
Maniphest T48468

Default umask should be set to 0002
Closed, DeclinedPublic
Actions

Description

Given the default sharing of tools by group members, 0002 would make more sense as a default umask.

Version: unspecified
Severity: trivial

Details

Reference
bz46468

Related Objects

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 1:41 AM
bzimport added a project: Toolforge.
bzimport set Reference to bz46468.
coren created this task.Mar 22 2013, 10:27 PM
coren added a comment.Jun 3 2013, 1:44 PM

This should be the default, now.

MZMcBride added a comment.Dec 10 2013, 4:46 AM

Re-opening this for further consideration. I think the default umask should be 0022, not 0002. The Toolserver defaults to 0022.

If I create a .bash_profile and forget to change its permissions, by default any user in the wikidev group can modify it. Ouch.

scfc added a comment.Jan 19 2014, 10:05 PM

(In reply to comment #2)

Re-opening this for further consideration. I think the default umask should
be
0022, not 0002. The Toolserver defaults to 0022.

If I create a .bash_profile and forget to change its permissions, by default
any user in the wikidev group can modify it. Ouch.

We need to differentiate between users and tools anyhow. For users, it should be 0022, for tools 0002.

login.defs(5) suggests that we need to enable USERGROUPS_ENAB to achieve exactly that, but /etc/login.defs says it's enabled, yet "ssh tools-login.wmflabs.org umask" gives me 0022 (hooray!), but "ssh tools-login.wmflabs.org" and then "umask" 0002. Very confusing.

scfc added a comment.Jan 20 2014, 4:16 PM

Memo to self: sudo has "umask" and "umask_override" to play with.

scfc added a comment.Mar 17 2014, 8:01 PM

(In reply to Tim Landscheidt from comment #3)

[...]
login.defs(5) suggests that we need to enable USERGROUPS_ENAB to achieve
exactly that, but /etc/login.defs says it's enabled, yet "ssh
tools-login.wmflabs.org umask" gives me 0022 (hooray!), but "ssh
tools-login.wmflabs.org" and then "umask" 0002. Very confusing.

In eqiad, "ssh tools-login.eqiad" and then "umask" gives now 0022 which is the same as "ssh tools-login.wmflabs.org umask".

coren added a comment.Aug 26 2014, 5:45 PM

What is the nature of the issue that remains, if any?

coren moved this task from Backlog to Ready to be worked on on the Toolforge board.Nov 25 2014, 4:17 PM
coren closed this task as Declined.Mar 17 2015, 2:41 PM

No remaining issues, and users are better off setting umask explicitly if they need something other than the default.

scfc added a comment.Mar 17 2015, 4:08 PM

Sorry for ignoring your previous question. Our setup is designed that users are members of the tool's group so that they have write access to the tool's files and directories. Setting umask to 0022 for tools, while essential for users (or administrators :-)) to not have their files tampered with by anyone in the wikidev group, disallows users from editing files & Co. without sudoing as the tool. So these two defaults clash.

But if a user creates a file in a tool's directory, the user's umask is used anyway, so my ramblings above about sudo are immaterial as sudo isn't in every code path.

It may be possible to solve this with ACL's setfacl, but enabling that could have many side-effects with not so much to gain.

scfc mentioned this in T113979: [toolforge] Allow direct ssh access to tools.Oct 5 2015, 6:54 PM
scfc mentioned this in T158581: replica.my.cnf and .kube/config is not readable by the group members.Feb 21 2017, 12:52 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL