Change Default umask
Warning: !! PROCEED AT YOUR OWN RISK !!
Proceed At Your Own Risk
This sections cover things that are high risk because there is a possibility they can make your system unusable, or are considered unnecessary by many because the risks outweigh any rewards.
Why change default umask?
umask controls the default permissions of files/folders when they are created. Insecure file/folder permissions give other accounts potentially unauthorized access to your data. This may include the ability to make configuration changes.
- For non-root accounts, there is no need for other accounts to get any access to the account’s files/folders by default.
- For the root account, there is no need for the file/folder primary group or other accounts to have any access to root’s files/folders by default.
When and if other accounts need access to a file/folder, you want to explicitly grant it using a combination of file/folder permissions and primary group.
On the other hand, changing the default umask can create unexpected problems. For example, if you set umask to
0077 for root, then non-root accounts will not have access to application configuration files/folders in
/etc/ which could break applications that do not run with root privileges.
- set default umask for non-root accounts to 0027
- set default umask for the root account to 0077
- umask is a Bash built-in which means a user can change their own umask setting.
Steps - Change Default umask
Make a backup of files we’ll be editing:
sudo cp --archive /etc/profile /etc/profile-COPY-$(date +"%Y%m%d%H%M%S") sudo cp --archive /etc/bash.bashrc /etc/bash.bashrc-COPY-$(date +"%Y%m%d%H%M%S") sudo cp --archive /etc/login.defs /etc/login.defs-COPY-$(date +"%Y%m%d%H%M%S") sudo cp --archive /root/.bashrc /root/.bashrc-COPY-$(date +"%Y%m%d%H%M%S")
Set default umask for non-root accounts to 0027 by adding this line to
echo -e "\numask 0027 # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")" | sudo tee -a /etc/profile /etc/bash.bashrc
We also need to add this line to
echo -e "\nUMASK 0027 # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")" | sudo tee -a /etc/login.defs
Set default umask for the root account to 0077 by adding this line to
echo -e "\numask 0077 # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")" | sudo tee -a /root/.bashrc