Change Default umask

Warning: !! PROCEED AT YOUR OWN RISK !!

Proceed At Your Own Risk

This sections cover things that are high risk because there is a possibility they can make your system unusable, or are considered unnecessary by many because the risks outweigh any rewards.

Why change default umask?

umask controls the default permissions of files/folders when they are created. Insecure file/folder permissions give other accounts potentially unauthorized access to your data. This may include the ability to make configuration changes.

  • For non-root accounts, there is no need for other accounts to get any access to the account’s files/folders by default.
  • For the root account, there is no need for the file/folder primary group or other accounts to have any access to root’s files/folders by default.

When and if other accounts need access to a file/folder, you want to explicitly grant it using a combination of file/folder permissions and primary group.

On the other hand, changing the default umask can create unexpected problems. For example, if you set umask to 0077 for root, then non-root accounts will not have access to application configuration files/folders in /etc/ which could break applications that do not run with root privileges.

Goals

  • set default umask for non-root accounts to 0027
  • set default umask for the root account to 0077

Notes

  • umask is a Bash built-in which means a user can change their own umask setting.

Steps - Change Default umask

  1. Make a backup of files we’ll be editing:

     sudo cp --archive /etc/profile /etc/profile-COPY-$(date +"%Y%m%d%H%M%S")
     sudo cp --archive /etc/bash.bashrc /etc/bash.bashrc-COPY-$(date +"%Y%m%d%H%M%S")
     sudo cp --archive /etc/login.defs /etc/login.defs-COPY-$(date +"%Y%m%d%H%M%S")
     sudo cp --archive /root/.bashrc /root/.bashrc-COPY-$(date +"%Y%m%d%H%M%S")
    
  2. Set default umask for non-root accounts to 0027 by adding this line to /etc/profile and /etc/bash.bashrc:

     umask 0027
    
     echo -e "\numask 0027         # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")" | sudo tee -a /etc/profile /etc/bash.bashrc
    
  3. We also need to add this line to /etc/login.defs:

     UMASK 0027
    
     echo -e "\nUMASK 0027         # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")" | sudo tee -a /etc/login.defs
    
  4. Set default umask for the root account to 0077 by adding this line to /root/.bashrc:

     umask 0077
    
     echo -e "\numask 0077         # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")" | sudo tee -a /root/.bashrc
    

Licenses and Attributions


Speak Your Mind