Books / How To Secure A Linux Server / Chapter 9
Change Default umask
Warning: !! PROCEED AT YOUR OWN RISK !!
Proceed At Your Own Risk
This sections cover things that are high risk because there is a possibility they can make your system unusable, or are considered unnecessary by many because the risks outweigh any rewards.
Why change default umask?
umask controls the default permissions of files/folders when they are created. Insecure file/folder permissions give other accounts potentially unauthorized access to your data. This may include the ability to make configuration changes.
- For non-root accounts, there is no need for other accounts to get any access to the account’s files/folders by default.
- For the root account, there is no need for the file/folder primary group or other accounts to have any access to root’s files/folders by default.
When and if other accounts need access to a file/folder, you want to explicitly grant it using a combination of file/folder permissions and primary group.
On the other hand, changing the default umask can create unexpected problems. For example, if you set umask to 0077
for root, then non-root accounts will not have access to application configuration files/folders in /etc/
which could break applications that do not run with root privileges.
Goals
- set default umask for non-root accounts to 0027
- set default umask for the root account to 0077
Notes
- umask is a Bash built-in which means a user can change their own umask setting.
Steps - Change Default umask
-
Make a backup of files we’ll be editing:
sudo cp --archive /etc/profile /etc/profile-COPY-$(date +"%Y%m%d%H%M%S") sudo cp --archive /etc/bash.bashrc /etc/bash.bashrc-COPY-$(date +"%Y%m%d%H%M%S") sudo cp --archive /etc/login.defs /etc/login.defs-COPY-$(date +"%Y%m%d%H%M%S") sudo cp --archive /root/.bashrc /root/.bashrc-COPY-$(date +"%Y%m%d%H%M%S")
-
Set default umask for non-root accounts to 0027 by adding this line to
/etc/profile
and/etc/bash.bashrc
:umask 0027
echo -e "\numask 0027 # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")" | sudo tee -a /etc/profile /etc/bash.bashrc
-
We also need to add this line to
/etc/login.defs
:UMASK 0027
echo -e "\nUMASK 0027 # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")" | sudo tee -a /etc/login.defs
-
Set default umask for the root account to 0077 by adding this line to
/root/.bashrc
:umask 0077
echo -e "\numask 0077 # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")" | sudo tee -a /root/.bashrc