Beware of Pubnix Data Security
       ==============================


Tue May 31 16:35:29 UTC 2022


I want to raise awareness about account and data security on
pubnixes. This includes the tildeverse and here at sdf.org.


                   ***
       Default umask value is not secure

One prominent issue is that the default umask value is not
safe by default.  umask dictates the default access
permission of new files and directoies that you create.
Unless you specify one, the default is 022 - it means that
by default, your files are readable by anyone on the system.

Some security-aware programs, like ssh, gpg, mail, do create
files more securely.  For example, by default, your
`$HOME/.ssh` directory is not readable by others.  Same
applies to `~/mail`, `.bash_history`, and other directories
and files that content sensitive data.


                   ***
               Some exmaples

However, with the default umask, it is *easy* for users to
make mistakes.  Recently, I found a user with accessible
ssh directory. The private keys in it were not accessible -
as correctly created by ssh-keygen. However, the directory
contained a `backup.tar.gz`, apparently created by the user,
which was accessible. When I untar it, it contained all the
sensitive information, including several private keys, the
ssh config file containing remote host aliases. I was able
to use the private keys to log in to those remote hosts as
this user.

I think what happened was that the user did not ask 'tar' to
persist file permission when creating the archive. If umask
were stricter (e.g. 077), I wouldn't be able to access the
tar ball in the first place, *even* if the user made the tar
permission mistake.

As another short example, at one point, I noticed that my
`$HOME/mail` directory and all the files in it is readable
by everyone. Fortunately, the mails don't seem to contain
sensitive information like password reset links.


                   ***

My point is, although theoretically, the programs are
supposed to do the right thing to keep sensitive data
private. The default umask is just too easy for the users to
make mistakes. Some things I would suggest:

1. admins should change default umask to 077 so newly
  created files are not readable by other users.

2. users should do the same for themselves

3. admins can run a cron job that probe sensitive files and
  directies in users' home (.ssh, mail, mbox, shell history
  files, etc.) system wide, and fix them for the users.

3. on pubnixes, try not to allow ssh public key
  authentication from pubnix A to pubnix B. That way, when
  a hacker obtain access to one host and the private keys,
  they will not get access to the others hosts.

vim: tw=60

You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.