LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices



Reply
 
Search this Thread
Old 03-16-2011, 09:39 PM   #1
browny_amiga
Member
 
Registered: Dec 2001
Location: /mnt/UNV/Mlkway/Earth/USA/California/Silicon Valley
Distribution: Kubuntu 10.04, Debian Squeeze, Windoze 7
Posts: 512

Rep: Reputation: 35
Smile umask and permissions: has umask 007 bad side effects?


Hi,

My Debian system has by default umask permissions of 0022, which I never liked. One user can read all the files of another seems very insecure to me.

I am planing to set it to 007, so that user and group have rw but all others have none.

Are there any side effects to that? I have noticed from a trial I did where I was changing permissions on the filesystem that some system stuff in the OS does not work anymore, if "others" have no read permission anymore, so that is why I am asking.

And why are chmod / umask permissions sometimes stated as 4 digits? What is this "all" group in the end? Isn't that already covered by "others"?

Thanks,

Markus
 
Old 03-17-2011, 04:35 PM   #2
SL00b
Member
 
Registered: Feb 2011
Location: LA, US
Distribution: SLES
Posts: 375

Rep: Reputation: 112Reputation: 112
I'd say I think umask 0007 is a bad idea. You have system functions running as their own userids for a reason, to fence them off from root permissions because they could be exploited. For example, if you're running FTP, it's running as it's own userid, but it needs read access to some system files owned by root. If you solve that problem by adding that user to the root group, with umask 007, you've just given that userid full root access, and if someone successfully pops your FTP server, you handed them the keys to the kingdom. That's why 022 is the norm... even members of the root group can't overwrite root's files.

For your ordinary users, 0007 would also take away execute privileges for ordinary bash commands a user might execute, like cd, grep, man, etc. This would effectively render your system useless to them.

If there are certain files/directories you don't want world-readable, the best practice would be to do a chmod there to remove those permissions, and otherwise, let the umask do what it does.

As for why it's four digits and not three, that's because the leading digit covers sticky bit or setuid/setgid. If you omit the leading digit it's treated as a zero, so umask 022 = umask 0022.
 
Old 09-09-2011, 09:01 AM   #3
beinvisible
LQ Newbie
 
Registered: Sep 2011
Posts: 1

Rep: Reputation: Disabled
@SL00b

The umask only affects the access rights of newly _created_ files. E.g. an editor saves a text file using rw-rw-rw- by default, but these privileges are masked with the user's umask when the system actually creates the file. 022 would mask it down to rw-r-r while 007 would mask it down to rw-rw----.

The umask does _not_ affect file _reads_.

Most Linux distributions use umask 022, but some also use 002 (which is useful if you have directories shared between users). E.g. RedHat uses 022 for uids <= 100 and 002 for uids > 100. Setting 007 for normal users should be perfectly safe (root will be more secure with 022 oder 027); it might only cause problems if it is used for system processes, that write files which should be world-readable.



Further reading: http://cyberciti.biz/tips/understand...lue-usage.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
File permissions and default umask bnbguy Linux - Newbie 1 06-25-2007 11:14 AM
Permissions problem...samba...umask? yanik Linux - General 2 01-27-2006 08:10 AM
Permissions with umask NullDevice23 Linux - Security 1 11-18-2005 08:27 PM
fstab, umask and users permissions foucault Linux - Security 3 11-03-2005 02:13 AM
Umask and Linux Default Permissions Sandoomaphone Linux - Security 9 08-23-2004 05:48 PM


All times are GMT -5. The time now is 03:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration