You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2016-08-02 13:04:43
- Cobra
- Member
- Registered: 2004-07-30
- Posts: 109
UMASK limitations?
Hi there, I installed lynis a while ago and used it to scan my system for possible security improvements. One of the recommendations was to change the umask to 027. So I added umask 027 to my /etc/profile file. Default is 022, just for reference.
Now, my question is if this has limitations? Is there a problem if root creates files with rw- r-- --- permissions? Will daemons start crashing, cron commands stop working etc...? I like security, but I don't like crippling my system. 
Offline
#2 2016-08-04 12:05:27
- loafer
- Member
- From: the pub
- Registered: 2009-04-14
- Posts: 1,772
Re: UMASK limitations?
What permissions do you think the file should be created with?
All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.
Offline
#3 2016-08-05 09:44:09
- Cobra
- Member
- Registered: 2004-07-30
- Posts: 109
Re: UMASK limitations?
What permissions do you think the file should be created with?
There is no specific "the file"... It's more of a general question. I'm just wondering if setting umask too restrictive could have negative implications for my system. I imagine as an extreme example, that setting umask 077 would render the system unusable because no user or service would be able to read any files it needed. On the contrary, setting it too low would mean everything was open for the world to read and that would be a security vulnerability. So umask 022 (the default) was already there and I changed it to 027. Not a huge difference but it seems logical that it might be better if other users couldn't read my files and vice versa.
Anyone has experience with this or are you all just using the default 022 and not bothering with security?
Last edited by Cobra (2016-08-05 09:46:58)
Offline
#4 2016-08-05 12:55:58
- Alad
- Wiki Admin/IRC Op
- From: Bagelstan
- Registered: 2014-05-04
- Posts: 2,412
- Website
Re: UMASK limitations?
The umask is mostly relevant when you have publicly accessible files in your home folder, e.g for a HTTP server. Otherwise, chmod 700 on the parent directory suffices.
As to negative implications: once upon a time (cf. 1, 2) makepkg didn't reset the umask to 0022, and packages built with your user's umask set to 0027 or 0077 would end up with the wrong permissions. In theory this meant your /usr could end up as chmod 700 which is clearly a bad thing. I've seen this happen a few times in Slackware (where packages are untarred without verification) but if this was ever a concern in Arch, it stopped being so 8 years ago.
Changing umask for the root user should not have grave consequences either; e.g. packages installed through pacman retain the permissions on their files. However, I don't see a good reason to change root's umask (or the umask of all users) to begin with.
Last edited by Alad (2016-08-05 13:05:26)
Mods are just community members who have the occasionally necessary option to move threads around and edit posts. -- Trilby
Offline
#5 2016-08-05 20:34:17
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: UMASK limitations?
There is no specific "the file"... It's more of a general question.
And it's a general answer, too. For some files it's fine, for others you'll have problems 
Anyone has experience with this or are you all just using the default 022 and not bothering with security?
LOL, there's far more to security than just umask.
A umask of 0022 is a perfectly reasonable default.
Offline
Pages: 1