Now tb-starter package has this issue:
bash -n /etc/torbrowser.d/50_user.conf
bash: /etc/torbrowser.d/50_user.conf: Permission denied
It was reported by a tester here:
So config files created by root (in /etc dunno if this matters elsewhere too) are now no longer readable by others. This leads to an usability issue as above and might potentially lead to similar issues.
Another issue is sudo make install (by genmkfile) - also leading to permission denied errors since using sudo would install to /usr/bin etc copy with umask unreadable by user user.
Therefore I am considering to remove umask changes. We now have user home folder permission lockdown by security-misc package which effectively does this:
chmod o-rwx /home/user
That should protect 80-90% of the user’s files from other compromised non-root users anyhow? So if we revert to Debian default -rw-r--r-- (umask 0022) it does not matter. Compromised non-root users still cannot read files by user user in folder /home/user.
What other folders do you expect users create files in where Debian default -rw-r--r-- (umask 0022) would cause issues?
/tmp? Should not be an issue. Applications should be using mktemp (or appropriate similar API). And there it’s not an issue.
mktemp
/tmp/tmp.ol7zDa3XgC
ls -la /tmp/tmp.ol7zDa3XgC
-rw------- 1 user user 0 Aug 17 20:40 /tmp/tmp.ol7zDa3XgC
Any other cases where Debian default -rw-r--r-- (umask 0022) is as much of an issue to justify the breakage we are already having and potential further issues?