Beware of Pubnix Data Security ============================== Tue May 31 16:35:29 UTC 2022 I want to raise awareness about account and data security on pubnixes. This includes the tildeverse and here at sdf.org. *** Default umask value is not secure One prominent issue is that the default umask value is not safe by default. umask dictates the default access permission of new files and directoies that you create. Unless you specify one, the default is 022 - it means that by default, your files are readable by anyone on the system. Some security-aware programs, like ssh, gpg, mail, do create files more securely. For example, by default, your `$HOME/.ssh` directory is not readable by others. Same applies to `~/mail`, `.bash_history`, and other directories and files that content sensitive data. *** Some exmaples However, with the default umask, it is *easy* for users to make mistakes. Recently, I found a user with accessible .ssh directory. The private keys in it were not accessible - as correctly created by ssh-keygen. However, the directory contained a `backup.tar.gz`, apparently created by the user, which was accessible. When I untar it, it contained all the sensitive information, including several private keys, the ssh config file containing remote host aliases. I was able to use the private keys to log in to those remote hosts as this user. I think what happened was that the user did not ask 'tar' to persist file permission when creating the archive. If umask were stricter (e.g. 077), I wouldn't be able to access the tar ball in the first place, *even* if the user made the tar permission mistake. As another short example, at one point, I noticed that my `$HOME/mail` directory and all the files in it is readable by everyone. Fortunately, the mails don't seem to contain sensitive information like password reset links. *** My point is, although theoretically, the programs are supposed to do the right thing to keep sensitive data private. The default umask is just too easy for the users to make mistakes. Some things I would suggest: 1. admins should change default umask to 077 so newly created files are not readable by other users. 2. users should do the same for themselves 3. admins can run a cron job that probe sensitive files and directies in users' home (.ssh, mail, mbox, shell history files, etc.) system wide, and fix them for the users. 3. on pubnixes, try not to allow ssh public key authentication from pubnix A to pubnix B. That way, when a hacker obtain access to one host and the private keys, they will not get access to the others hosts. vim: tw=60