umask and permissions: has umask 007 bad side effects?
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
umask and permissions: has umask 007 bad side effects?
Hi,
My Debian system has by default umask permissions of 0022, which I never liked. One user can read all the files of another seems very insecure to me.
I am planing to set it to 007, so that user and group have rw but all others have none.
Are there any side effects to that? I have noticed from a trial I did where I was changing permissions on the filesystem that some system stuff in the OS does not work anymore, if "others" have no read permission anymore, so that is why I am asking.
And why are chmod / umask permissions sometimes stated as 4 digits? What is this "all" group in the end? Isn't that already covered by "others"?
I'd say I think umask 0007 is a bad idea. You have system functions running as their own userids for a reason, to fence them off from root permissions because they could be exploited. For example, if you're running FTP, it's running as it's own userid, but it needs read access to some system files owned by root. If you solve that problem by adding that user to the root group, with umask 007, you've just given that userid full root access, and if someone successfully pops your FTP server, you handed them the keys to the kingdom. That's why 022 is the norm... even members of the root group can't overwrite root's files.
For your ordinary users, 0007 would also take away execute privileges for ordinary bash commands a user might execute, like cd, grep, man, etc. This would effectively render your system useless to them.
If there are certain files/directories you don't want world-readable, the best practice would be to do a chmod there to remove those permissions, and otherwise, let the umask do what it does.
As for why it's four digits and not three, that's because the leading digit covers sticky bit or setuid/setgid. If you omit the leading digit it's treated as a zero, so umask 022 = umask 0022.
The umask only affects the access rights of newly _created_ files. E.g. an editor saves a text file using rw-rw-rw- by default, but these privileges are masked with the user's umask when the system actually creates the file. 022 would mask it down to rw-r-r while 007 would mask it down to rw-rw----.
The umask does _not_ affect file _reads_.
Most Linux distributions use umask 022, but some also use 002 (which is useful if you have directories shared between users). E.g. RedHat uses 022 for uids <= 100 and 002 for uids > 100. Setting 007 for normal users should be perfectly safe (root will be more secure with 022 oder 027); it might only cause problems if it is used for system processes, that write files which should be world-readable.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.