>Number:         20509
>Category:       misc
>Synopsis:       umask in skel configuration files is set to a dangerous value
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    misc-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 27 02:09:01 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Igor Sobrado
>Release:        1.6
>Organization:
University of Oviedo
>Environment:
NetBSD ns1.localnet 1.6 NetBSD 1.6 (GENERIC) #0: Sun Sep  8 19:43:40 UTC 2002
     autobuild@tgm.daemon.org:/autobuild/i386/OBJ/autobuild/src/sys/arch/i386/compile/GENERIC i386

>Description:
The file creation mask is set to value 2 in both /etc/skel/.cshrc
and /etc/skel/.profile.  This is a dangerous value for umask,
allowing a careless user to remove files from other users in the
same group (users' home directories are not protected with the
sticky bit).
>How-To-Repeat:
The problem is easy to repeat creating a user account with the
default login scripts:

# useradd [...] -m -k /etc/skel [...]
>Fix:
I recommend changing the value of umask to 022 instead of 2
in both /etc/skel/.cshrc and /etc/skel/.profile; alternatively,
it can be set up to 077 but, IMHO, it is against the open
behaviour of NetBSD.
>Release-Note:
>Audit-Trail:
>Unformatted: