[Haskell-cafe] GHC bindist permissions (Was: [ANNOUNCE] GHC 9.4.1-rc1 is now available)
Bardur Arantsson
spam at scientician.net
Mon Aug 8 17:18:46 UTC 2022
On 08/08/2022 15.59, Brandon Allbery wrote:
> I think umask addresses a different issue than "unprivileged user". In
> any case, yes, 077 is fairly uncommon; if you have that much need for
> privacy then perhaps you should not be using the system in the first
> place.
>
Yes and no. It prevents a program which drops privileges (e.g. sshd) at
the start from reading arbitrary user files, so if there are
post-startup remote vulnerabilities it's unable to exfiltrate all your
user data.
(Obviously one has to trust the program up to that point, but that's a
much smaller attack surface.)
I find it a good general practice in terms of Defense in Depth --
especially as it actually really shouldn't cause issues one a
single-user system. (It *is* probably uncommon as you say, though. I
believe most distros default to 022.)
Regards,
More information about the Haskell-Cafe
mailing list