LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: November 21st, 2014
Linux Security Week: November 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Using umask Print E-mail
User Rating:      How can I rate this item?
Source: Ryan W. Maple - Posted by Ryan W. Maple   
Learn tips and tricks The umask can be used to control the default file permission on newly-created files. The umask command controls the default file and directory creation mode for newly-created files and directories. It is recommended that you make root's umask 077, which will disable read, write, and execute permission for other users, unless explictly changed using chmod.

The umask command can be used to determine the default file creation mode on your system. It is the octal complement of the desired file mode. If files are created without any regard to their permissions settings, a user could inadvertently give read or write permission to someone that should not have this permission.

The umask for the creation of new executable files is calculated as follows:

  777 Default Permissions
 -022 Subtract umask value, for example
-----
  755 Allowed Permissions

So in this example we chose 022 as our umask. This shows us that new executables that are created are given mode 755, which means that the owner can read, write, and execute the binary, while members of the group to which the binary belongs, and all others, can only read and execute it.

The umask for the creation of new text files is calculated as follows:

 666 Default Permissions
-022 Subtract umask mask, for example
-----
 644 Allowed Permissions

This example shows us that given the default umask of 666, and subtracting our sample umask value of 022, new text files are created with mode 644, which states that the owner can read and write the file, while members of the group to which the file belongs, and everyone else can only read the new file. Typically umask settings include 022, 027, and 077, which is the most restrictive. Normally the umask is set in /etc/profile, so it applies to all users on the system. The file creation mask must be set while keeping in mind the purpose of the account. Permissions that are too restrictive may cause users to start sharing accounts or passwords, or otherwise compromise security. For example, you may have a line that looks like this:

  # Set the user's default umask
  umask 033

Be sure to make root's umask to at least 022, which will disable write and execute permission for other users, unless explicitly changed using chmod(1).

If you are using Red Hat Linux, and adhered to their user and group ID creation scheme (User Private Groups), it is only necessary to use 002 for a umask with normal users. This is due to the fact that the default configuration is one user per group.

In addition to setting the user's default umask, you should be sure you are aware of the umask value that is set in startup scripts as well. Any files that are created during the boot process may be created with the default umask of 666 if it is not explictly specified.

Additionally, any servers that are started at boot time, such as inetd(8), may inherit the umask at boot time, which in turn will be passed down to the services, and servers, that it controls.

The umask value that the FTP server, spawned by inetd(8) uses, for example, can be easily overlooked, allowing the potential for too lenient permissions on files.

In this specific example, the FTP server has command-line options for controlling umask values. Many do not, however. For this reason, you might consider creating a file that gets run at system boot time, before any others, that simply explictly sets the umask to a known value.

Comments
misstatementWritten by Andrew Schwarzkopf on 2006-08-27 12:52:12
If I understand this article correctly, there is a misstatement. 
 
"Be sure to make root's umask to at least 022, which will disable write and execute permission for other users, unless explicitly changed using chmod(1)." 
 
Should read: 
 
"which will disable write permission" 
A umask of 022 does not disable execute permission.
CorrectionWritten by A. v. Schepen on 2006-11-16 06:15:17
Addon to Andrew's message: 
 
If you want to disable write and execute permissions as stated in the text you would use 033. 
 
Since: 
write = 2 
exec = 1 + 
----------------- 
3
Responded too fastWritten by A. v. Schepen on 2006-11-16 06:23:35
BOTH messages from me and Andrew are incorrect.  
 
The article IS correct. 
An UMASK of 022 would set for directories: 
 
777-022 = 055 
This means read and execute(open) directories. 
 
For files: 
666-022 = 044 
This means read for files. 
 
Those numbers are made up out of: 
 
4: Read 
2: Write 
1: Execute
is umask for default permissions only?Written by Anupam on 2007-01-18 02:02:43
If umask value is set to 022 and i create a file using creat sys call with permission 664. Then what will be resultant permissions and why? 
Will they be 664 or 644?
securityWritten by binod kumar on 2007-08-30 13:02:21
satisfactory
can umask add executable for files?Written by Philippe on 2007-12-06 09:35:23
What umask needs to be set to create an executable file? Or is it something that needs to be added with chmod only after the file is created?

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.