An email utility I often use has setuid permission, so as to be able to read some mail configuration files which are not publicly accessible. In order to limit security concerns, the utility ownership is that of the mail user, not root. So far so good.
Now I'm trying to pass an extra configuration file to the utility, using process substitution. However, I get Cannot read /dev/fd/63: Permission denied. How come? It seems bash doesn't respect umask values:
ale@pcale:~/tmp$ umask -S
u=rwx,g=rx,o=rx
ale@pcale:~/tmp$ namei -l <(echo foo)
f: /dev/fd/63
drwxr-xr-x root root /
drwxr-xr-x root root dev
lrwxrwxrwx root root fd -> /proc/self/fd
drwxr-xr-x root root /
dr-xr-xr-x root root proc
lrwxrwxrwx root root self -> 25980
dr-xr-xr-x ale ale 25980
dr-x------ ale ale fd
lr-x------ ale ale 63 -> pipe:[58230201]
pipe:[58230201] - No such file or directory
The obvious workaround is to run such scripts as the mail user as well. However, out of curiosity, what's that? A bug? A feature?