[texhax] Umasks, Permissions, and All That

Reinhard Kotucha reinhard.kotucha at web.de
Sun Jul 14 01:19:01 CEST 2013

On 2013-07-13 at 11:43:36 -0400, Thomas Schneider wrote:

 > Reinhard:
 > >  > Dick:
 > >  > 
 > >  > > I'd like to summarize the current situation regarding umask, Unix
 > >  > > Permissions, and MacTeX.  When MacTeX installs, the directories
 > >  > > /usr/local and /usr/local/texlive may or may not exist. If they
 > >  > > already exist, their permissions are not changed. If they don't
 > >  > > exist, they are given reasonable permissions.
 > >  > 
 > >  > I think the only reasonable permissions are drwxr-xr-x with ownership
 > >  > being root.
 > > 
 > > You cannot change ownership unless you are root already.  And I don't
 > > recommend to install everything as root.
 > When you give your administrative password to do an installation
 > through a graphical user interface, you are (as I understand it)
 > essentially becomming root.

Don't know which GUI you have in mind, but if it asks for your
password, it simply passes it to sudo.  Most installers expect that
you run sudo yourself.  A root password is required only if you don't
have write permissions at the install directory.

 > So just about everything you install IS as root.  Furthermore, the
 > requrement for using sudo in the texlive 2013 installation IS
 > making the person root.

It's not a requirement and I *never* installed TeX Live as root.  At
work I'm maintaining a TeX Live system on a server.  I'm not root on
this machine.  It's sufficient that I have write permissions.  All my
colleagues can mount it readonly on their machines. 

 > Furthermore, the purpose of being root is to prevent a normal user
 > from inadvertantly or maliciously changing the operating system.

root is the maintainer of your system.  You should log in as root only
when you are maintaining your system.  This is safest.  If you install
software which isn't part of your system, it's better not to install
as root, because then you can't break your system accidentally when
maintaining it.  Installing as root doesn't make anything safer. 

 > > I'm the owner of /usr/local because I maintain the stuff therein.
 > You own your computer but root ought to own things in /usr/local to
 > allow all people working on the computer access.  If you want a
 > private package, install it in your own files under your home
 > directory and route your path through it.  Then you will have full
 > control over the installation AND when you move your personal files to
 > another computer, you will carry the program with you and won't have
 > to move /usr/local separately.

I don't want a private package.  I don't want to be root when
maintaining TeX Live and some other packages.  It's more secure if you
can avoid being root.

/usr/local isn't used by the system.  It's for 3rd-party software.
It's owned by root by default because the administrator has to decide
whom to grant permissions anyway.
 > > It would be a pain if I had to use sudo when installing to a
 > > directory owned by me.
 > That strikes me as lazy.  It's hardly any extra work (0.5 seconds if
 > you touch type!!), installation occurs infrequently and using sudo
 > keeps the operating system secure.

NO! The opposite is the case!  sudo runs programs with root
privileges.  *This* is unsecure!  Use sudo only when absolutely
necessary, i.e. when maintaining your system.

If you invoke a malicious program as a user, it can't access system
files at least.  If sudo is necessary in order to maintain the
program, keep in mind that sudo opens the doors to your system.

 > If you want an insecure computer system (and the resulting
 > instability), use Windows.  (Last I asked, a normal user can still
 > modify a Windows operating system with no safeguards.  As I
 > understand it, that's most of why there are still viruses in the
 > world.  An exception is government installations that prevent all
 > changes on Windows so folks have to get a sysadmin in all the time
 > to do the most trivial installation.)

You can create unprivileged user accounts on Windows.  But since this
leads to many inconveniences, most people don't.  There are many other
things which make it easy on Windows to spread viruses even as a
mortal user.

 > > And I would be pissed off if an installer disregards my personal
 > > umask.
 > Rightfully so, but this is only for texlive and the settings ought to
 > make the package available to everyone on the machine.  It only makes
 > sense, the texlive is public software.  Why would you want to hide it
 > from others on the computer?

What makes you believe that other users can't use it?
 > You can always change it to be not permitted.  But take a look at your
 > /usr/local and show us what the permissions are in your packages
 > there.

$ ls -la /usr/local/texlive/2013/
total 1648
drwxr-xr-x  9 reinhard users   4096 Jun  1 01:37 .
drwxr-xr-x 28 reinhard users   4096 Jul  8 23:25 ..
-rw-r--r--  1 reinhard users   2098 Sep 28  2006 LICENSE.CTAN
-rw-r--r--  1 reinhard users   5086 Jun  5  2011 LICENSE.TL
-rw-r--r--  1 reinhard users    183 Aug  9  2008 README
-rw-r--r--  1 reinhard users    250 Aug  9  2008 README.usergroups
drwxr-xr-x  7 reinhard users   4096 Apr 16 21:09 bin
-rw-r--r--  1 reinhard users 676263 May 29 03:47 doc.html
-rw-r--r--  1 reinhard users   1157 May 31  2010 index.html
-rwxr-xr-x  1 reinhard users  78785 May 11 18:14 install-tl

 > > In respect of file permissions, I'm conviced that the current behavior
 > > of both, TeX Live and MacTeX, is correct.  IMO it doesn't matter at all
 > > whether it's a good or bad idea.  The only question is whether it's
 > > correct or not.  It's *not* a matter of taste or convenience.
 > You have not given any evidence that setting permissions to drwxr-xr-x
 > is wrong.  You have not given any evidence that the current behavior
 > is 'correct'.  All you did was assert that.

The umask setting reflects user/admin preferences.  I regard every
program which tries to override them as being malicious.

 > > Thomas, you said that you're using tcsh.  I don't have OS/X but
 > > doesn't it come with Bash as well?  Could you check whether it works
 > > with Bash?
 > Of course I have bash on my machine, it's a Unix box.

It's not self-evident.  Since OS/X is based on BSD, I would expect
that csh or some derivate of it is available.  As far as Unix is
concerned, it's sufficient to provide a Bourne compatible shell.  But
there are zillions of them.  Bash is only one of them.

 >  But if I were installing using bash, I would STILL set my own mask
 > to 077 so that my files are not visible to others unless I
 > intentionally set them to be visible.  This would probably still
 > (inappropriately) propagate to the sudo.  So the shell is
 > irrelevant.
 > > umask is a shell function and different shells have different startup
 > > scripts.
 > That's not relevant since users like me will set their shells to make
 > their files more secure.

Urgh!  You deliberately misconfigured your system and now ask the TeX
Live team to fix it, i.e. to override your configuration?  I'm not the
one who decides but I can assure you that TeX Live *never* will
override user/admin settings.

If you insist on umask 077 for your personal files and want to
maintain a TeX Live System in /usr/local which can be accessd by all
users, do this:

 1. Create a new account "texadmin".  If there is someone you trust
    who can maintain the system when you are on leave, you might want
    to create a new group as well.

 2. log in as "texadmin" and set umask to 022.

 3. Create a directory /usr/local/texlive.

 4. Adapt ownersip of /usr/local/texlive.  If there is no group, run

      chown -R texadmin:users /usr/local/texlive
   otherwise, if the group is named "texadmin" as well,
      chown -R texadmin:texadmin /usr/local/texlive

 5. Log in as texadmin and install TeX Live.

You have to log in as "texadmin" in order to maintain your TeX Live
system (using tlmgr).  I don't know whether it's less convenient than
using sudo, but I can assure you that the procedure described above is
by far much more secure than anything which depends on sudo.

The purpose of sudo is to open the doors to your operating system, as
it's name implies.  Avoid it whenever possible.


Reinhard Kotucha                                      Phone: +49-511-3373112
Marschnerstr. 25
D-30167 Hannover                              mailto:reinhard.kotucha at web.de
Microsoft isn't the answer. Microsoft is the question, and the answer is NO.

More information about the texhax mailing list