Change default file permissions

bmorel · 05-08-2005, 02:42 PM

Hello all,

I'm wondering why, on linux, default file permissions permit to all users on the machine to read-only other user's files (chmod 755).

For security reasons, I'd like for my users that their files can by default NOT be accessed by other users, whenever they are created by bash, php, or ftp daemon (vsftpd).

How can I achieve this ?

Thanks a lot for your answers.

Ben

jailbait · 05-08-2005, 03:08 PM

"I'm wondering why, on linux, default file permissions permit to all users on the machine to read-only other user's files (chmod 755)."

The default file permissions are kept in /etc/permissions and/or /etc/permissions.d. How the default permissions are set up is defined by the distribution. Many distributions allow you to specify a security level during install. You can later change the default file permissions by changing /etc/permissions and/or /etc/permissions.d.

--------------------------
Steve Stites

Tinkster · 05-08-2005, 03:12 PM

As always, there's several ways of doing this ...

1) edit everyones .bashrc/.bash_profile/.bash_login
(whichever applies) to contain
umask 077 which will grant NO permissions to group
and other.

2) edit /etc/profile to have that umask

Cheers,
Tink

bmorel · 05-08-2005, 06:40 PM

jailbait, thanks for your answer, but I think these files are suse-specific, since they don't exist on my distrib (redhat).

tinkster, thanks for help, this will help me, but I've got related questions :

- these files affect only shells, right? the modif did not affect proftpd -which as only one umask config, not per-user config-. For php, I don't know how to do. Isn't there a more "global" way to set this ?
- I found that the script giving default umask is /etc/bashrc. Is it safe to modify this file directly, with the umask you specified above? Or is it safer to leave it unchanged and add another umask in another config file, called after ?

Thanks.
Ben

Tinkster · 05-08-2005, 07:06 PM

Yep, filename vary with distro ... I used the one that
Slack utilises since you didn't put your distro in either
the post or your details ...

As long as you don't make syntactical errors on that line,
and don't screw up other parts of the script it's safe ;}

A very good rule would be to make a back-up copy
of any script you are about to modify before you start
editing it.

Cheers,
Tink