You are not logged in.
- Topics: Active | Unanswered
#1 2011-10-09 16:30:46
- rnabioullin
- Member
- Registered: 2010-10-02
- Posts: 24
Sensible umask for users
Why is a umask of 022 used for non-root users? Why not use 007 for non-root users, since: 1. the user-private group (UPG) scheme is used (thus there would be no security issue); 2. it would allow other users to write to files created in a "shared" directory (i.e., dir with setgid set and belonging to a group other than a UPG; e.g., project1 containing several users) which otherwise would not be possible with 022; 3. it would prevent others (human users in the group, human users not in the group, system users used by daemons) from reading/writing files not created in a "shared" directory, and for "shared" directories, it would prevent others (human users not in the group, system users used by daemons) from reading/writing files.
Am I missing something? I do not see a purpose of changing the root's umask, but I do see a purpose of changing the umask of non-root users.
Offline
#2 2011-10-10 17:27:24
- Leonid.I
- Member
- From: Aethyr
- Registered: 2009-03-22
- Posts: 999
Re: Sensible umask for users
Why not 027, for a group-based solution? 007 is dangerous since /tmp might contain user-specific data which you'll make rw for others in the same group (e.g. users).
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
#3 2011-10-13 04:01:46
- rnabioullin
- Member
- Registered: 2010-10-02
- Posts: 24
Re: Sensible umask for users
Why not 027, for a group-based solution? 007 is dangerous since /tmp might contain user-specific data which you'll make rw for others in the same group (e.g. users).
But with the UPG scheme, the primary group (obviously the same group that will be the owner of user-specific data in /tmp) will be the user's private group. I do not see how this is a security concern.
Offline
#4 2011-10-13 21:57:10
- rwd
- Member
- Registered: 2009-02-08
- Posts: 664
Re: Sensible umask for users
Is UPG the default with Arch? It has been a while that I installed from scratch, but I can remember by default configuration uses user:users and I had to change it to UPG myself. But I'd say just configure it and umask the way you like.
Last edited by rwd (2011-10-13 22:06:54)
Offline
#5 2011-10-14 00:13:15
- Leonid.I
- Member
- From: Aethyr
- Registered: 2009-03-22
- Posts: 999
Re: Sensible umask for users
OK, I misunderstood the OP. UPG (as it is used in fedora and rhel) is not the default for arch, so I don't see where point (1) in OP comes from. Certainly, the default umask is somewhat permissive, so I just set it to 0077 and forget...
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline