Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the '10.5: How to set NSUmask in Leopard' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: How to set NSUmask in Leopard
Authored by: xr4ti on Dec 28, '07 01:30:03PM

Since it applies to the whole system, this hint appears to be a bad idea, if the new umask is more restrictive than the system default.

Unless I'm mistaken, this system-wide umask change means that files and folders created in the normal course of operations (such as system logs) will be created with permissions that make it impossible for them to be used by other users and, more importantly, by processes.

And I tried the local version of launchd.conf ($HOME/.launchd.conf), and confirmed that it doesn't do anything (in 10.5.1 with the sec update from 2007-12-27).

So, unless someone comes up with another approach to setting a user's umask, Apple has screwed the pooch on privacy settings for a multi-user 10.5 system.

If you combine their decision to put all users in the same group (20/staff) and their decision to set the user umask to allow everyone to see files and would seem that Apple has all but begged for public embarrassment.

I guess I'll have to create a task that searches for new files and folders and kills off access for group and other. I'll be cursing Apple the whole time.

[ Reply to This | # ]
10.5: How to set NSUmask in Leopard
Authored by: xr4ti on Dec 29, '07 01:43:00PM

Just want to confirm that I've tried
-the two NSUmask techniques (neither of them work)
-the .launchd.conf technique (doesn't work)
-the /etc/launchd.conf (works, but...)

I wanted umask 077, for less vulnerabilities and greater privacy. Putting umask 077 in /etc/launchd.conf does work, but it does, as I feared, effect how some system processes create files. That could cause some errant behavior, or could even cause a process to fail. I haven't seen my /var/log/system.log roll over yet, but I'll be interested to see what happens when it does.

I'm going to recommend that my employer think twice about moving to Leopard until they can be sure that the world-readable issues are resolved. It's absolutely ridiculous that Apple took this approach.

[ Reply to This | # ]