On 2020-08-06 10:50:23 -0500, Derek Martin wrote: > On Wed, Jul 29, 2020 at 12:55:07PM -0500, Derek Martin wrote: > > On Tue, Jul 28, 2020 at 08:03:23PM +0200, sacham...@s0c4.net wrote: > > > The thread, and even older threads referenced there, is from 2007. > > > Since then, the security field have evolved - now we have SeLinux, > > > Apparmor and other techniques which are capable to provide even > > > better security than umask(077) > > > > None of those changes affect this issue in any meaningful way. > > SELinux predates that thread by at least two years (longer, though it > > was not generally available to the public until ~2005). The arguments > > made in those threads still stand, and I will not repeat them here. > > And FWIW, here's a more precise and detailed description I posted MUCH > more recently than 2007, which explains why this is a bad idea. > Everything here remains true, regardless of any evolution you think > has happened in the security world. > > https://www.mail-archive.com/mutt-users@mutt.org/msg49810.html
Perhaps the OP is on a system where each physical user is in his own group, but possibly with several user ids: the main id would typically use mode 0600 for all private files, but the secondary ids would use mode 0660, i.e. the main id can access the private files of all ids of the user, but the secondary ids would be able to access only their private files. On such a system using umask (007) for secondary ids seems logical and safe. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
