From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from oldp.nmsu.edu ([128.123.26.31]) by hawkwind.utcs.utoronto.ca with SMTP id <24124>; Fri, 25 Aug 1995 16:03:09 -0400
Received: by oldp.nmsu.edu; id AA00384; Fri, 25 Aug 1995 14:02:59 -0600
Message-Id: <9508252002.AA00384@oldp.nmsu.edu>
To:	rc@hawkwind.utcs.toronto.edu
Subject: umask SECURITY HOLE with rc on Solaris
Date:	Fri, 25 Aug 1995 16:02:59 -0400
From:	Alan Watson <alan@oldp.nmsu.edu>
X-Mts: smtp

By default in Solaris, shells inherit a umask of 0; this is Really
Bad.

The real fix is to change the system (edit /etc/default/login and set
the umask before before starting inetd -- credit to John Denune for the
latter fix) so that shells start with a umask of 022, but I still
suggest applying the following patch to rc to set umask to 022 iff
umask is initially 0.  I know this is undeniably hand-holding, but do
you really want to trust every overworked sysadmin trying to deal with
the pain of Solaris to catch this one?

Alan Watson

*** main.c.orig Fri Aug 25 10:24:34 1995
--- main.c      Fri Aug 25 10:22:09 1995
***************
*** 14,19 ****
--- 14,20 ----
  extern void main(int argc, char *argv[], char *envp[]) {
        char *dashsee[2], *dollarzero, *null[1];
        int c;
+       int oldumask;
        initprint();
        dashsee[0] = dashsee[1] = NULL;
        dollarzero = argv[0];
***************
*** 64,69 ****
--- 65,75 ----
                checkfd(1, rCreate);
                checkfd(2, rCreate);
        }
+       oldumask = umask(0);
+       if (oldumask == 0)
+               umask(022);
+       else
+               umask(oldumask);
        initsignal();
        inithash();
        initparse();