Umask and file permission question

Dagmar d'Surreal dagmar at speakeasy.net
Sat Aug 31 13:57:25 PDT 2002


On Sat, 2002-08-31 at 08:39, Andrew Friedley wrote:
> I've always used 077 for all users including root, but I tend to be kind of
> restrictive on permissions.  Just remember to to set your umask to 022 when
> you build a new lfs, or you'll end up chmod'ing most of your new system by
> hand to get it working right :)  Usually when I want to share stuff between
> users ill cp the files to /tmp and chmod them, then rm em when im done.

Frankly, I'd say that this is the most correct approach--since it
adheres to the principle of least privlege.  ...setting everyone's
default umask so that they are the only people who can read the files
they create (since we're not explicitly saying users will be given
permission to read other's files, then the default should be that they
can't) using 077.

And of course things will be rather painful if the admin forgets to
change their umask to a less restrictive one when installing new
files--however many (but not _all_!) makefile install targets make the
assumption that the software being built is for system-wide use, and
enforce the permissions accordingly, so you still have to eyeball
everything during/after installation.

(Typically, people only forget to change their umask to something less
restrictive while they uncompress a new kernel source tree once.  ;) )

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list