Umask and file permission question
agt10 at columbia.edu
Sat Aug 31 00:58:01 PDT 2002
Where I work, we have a massively multiuser Solaris system (did you
know that some programs don't like uids > 65535?). /etc/profile sets
umask to 077, and the default home directory mode is 0700.
This works well for the majority of our users who don't understand things
like chmod, because by default nobody else can read their files. Those of
us who do group work set our umask to 027 manually and work in a shared
tree which has mode 0770.
You could also use 007 for group work. But it seems safer in my opinion
to use a version control system where checking out a file causes you to
own it and use umask 027. That way, only one person can write to a file
at a time, which should be the default behavior in the majority of cases.
Most install scripts will set the permissions properly on their own, and
anyone who is installing software should know enough to check on that.
I'm not sure how we handle root users, but my personal belief is that root
should have the most paranoid default behavior that is sensible (in this
case, 077). It's much easier to fix mistakes that arise through direct
action than mistakes that arise through default behavior, and with root
you simply don't want to take chances.
So I would say that a default umask of 077 is not only sane but prudent.
And someone tell me if I went drastically wrong somewhere, because it is 4
On Sat, 31 Aug 2002, Archaic wrote:
> How (in)sane would it be to set umask to 077 in the /etc/profile or
> .bash_profile? The only things I can think of would be when you install
> stuff or have an explicit need to share files between users. As far as
> installing, I can just make /etc/profile only set umask for non-root
> users. Sharing is where it gets more complicated. I'm thinking maybe set
> umask to 007 instead, and make a separate share folder while at the same
> time chmodding 0700 all home directories. I currently don't have a need
> to share files between users except what is on the samba server and it
> handles permissions quite nicely. So aside from samba, just looking at
> one machine with multiple users, is anything I've suggested sounding
> reasonable or should I just check myself in to the local asylum? :)
> Morality is always the product of terror; its chains and
> strait-waistcoats are fashioned by those who dare not trust others,
> because they dare not trust themselves, to walk in liberty.
> - Aldous Huxley
> Unsubscribe: send email to listar at linuxfromscratch.org
> and put 'unsubscribe lfs-security' in the subject header of the message
agt10 at columbia.edu
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message
More information about the lfs-security