Effects of tightening umask
Posted: 2019/09/13 18:31:56
Hello CentOS gurus!
I'm investigating tightening the umask on my CentOS 7.6 Min Install to 027. The idea came from CIS guidance and it doesn't sound like a bad idea to me that files be created with no "group" write permissions and no "other" permissions at all unless explicitly requested by the process creating the file, but I've had a career full of events that shouldn't have been a problem and ended up being so due to things I didn't know about. So, does anyone know of any problems with upping umask to 027?
Also, on the topic, while looking for places to set the umask, I found the following logic in /etc/profile and /etc/bashrc
This says to me for UIDs 200 and over when your group name matches your user name (in other words, a "normal" rather than a "system" user account) use a umask of 002, otherwise use a umask of 022. Does anyone know where the rationale for this comes from? I know the UID range for user accounts has increased over time (they started at 100 when I first started using UNIX in college and I think the increase from 500 to 1,000 has only been in the last 10 years or so) so I'm wondering if the selection of 200 as the dividing line between "normal" and "system" user accounts is an outdated artifact that needs an update at some point, but I can't think of a use case where it makes sense to use a more restrictive umask in regards to group rights for a "system" account. Or is there?
In my research so far, it seems like the umask value is a last-ditch backstop and most grown-up programs set DAC rights to exactly what they want so they don't have to rely upon inconsistent umask values from install to install, but maybe I'm missing something significant and obvious here so I thought I'd ask the thoughts of the group.
Are you for or against tightening the umask and do you do so differently based upon the nature of the account? Alternatively, are you aware of any horror stories from straying from the default umask values in any way?
Any feedback would be greatly appreciated.
Thanks,
Scott
I'm investigating tightening the umask on my CentOS 7.6 Min Install to 027. The idea came from CIS guidance and it doesn't sound like a bad idea to me that files be created with no "group" write permissions and no "other" permissions at all unless explicitly requested by the process creating the file, but I've had a career full of events that shouldn't have been a problem and ended up being so due to things I didn't know about. So, does anyone know of any problems with upping umask to 027?
Also, on the topic, while looking for places to set the umask, I found the following logic in /etc/profile and /etc/bashrc
Code: Select all
if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
umask 002
else
umask 022
fi
In my research so far, it seems like the umask value is a last-ditch backstop and most grown-up programs set DAC rights to exactly what they want so they don't have to rely upon inconsistent umask values from install to install, but maybe I'm missing something significant and obvious here so I thought I'd ask the thoughts of the group.
Are you for or against tightening the umask and do you do so differently based upon the nature of the account? Alternatively, are you aware of any horror stories from straying from the default umask values in any way?
Any feedback would be greatly appreciated.
Thanks,
Scott