after installing openSuSE 11.3 i was thinking a bit about security. I read, it’s a good idea to set umask of users to 077 . I’m unsure now, where to do this, cause there are different locations offered in the web:
/etc/login.defs
$HOME/.profile
/etc/profile - umask would be valid for root too.
And for my understanding:
Is it wise to set root to umask 077 too or could this lead to negative effects on my system.
Is it even senseless to umask the normal user to 077 if there is just one desktop-user using my system (myself ;)).
I don’t see the point of going from drwxr-xr-x to drwx------. In fact it can be a nuisance if you use networking. Provided you have the firewall on and you’re careful with communications, you’re in pretty good shape. But if you need to see some interesting options, have a look in Yast –> security and users –> local security – predefined configs. Lot’s of stuff to change there if you like to.
Also, if you just want to think about the umask goto Yast → security & users → highlight you username → user and group management → defaults for new users → umask for homes
The global umask value is stored in /etc/login.defs and
will be set by pam_umask.so (see “man pam_umask”).
and further on as written in /etc/login.defs
The UMASK value for useradd can be found in /etc/default/useradd,
this variable here is deprecated and currently only used as fallback
by pam_umask.so.
But the setting in /etc/default/useradd just seems to set the permissions for a newly created /home/NEWUSER - directory, whereas setting umask in /etc/login.defs changes umask for user after login. The help text in /etc/login.defs seems to be wrong ?
The problems you see might be because you do not quite understand what umask is/does. When I am wrong I appologize.
You do not set umask for a directory (like you think for* /home/USERNAME*), umask is something in the process environment, very much like every process environment variable. That means that when it is set to a value in a process, it is inherited by it’s child processes. Thus when you set umask in your .profile (and do not change it later in one of the offspring processes) it is the same for all offspring which is in fact all what you do during your session.
The umask set in YaST for new users means that a creation of new users, this umask is added to the .profile (direct or indirect, I did not test to see where it goes exactly) of the new user. Thus this new user will have this umask active unless he changes either his .profile (for all his future sessions) or types an umask statement (for the currect shell and it’s offspring). Nothing is of course changed to the* .profile *of existing users, would be difficult because users may have edited their *.profile *beyond recognition for an automated task.
What does umask do? When a process wants to create a file (all types) it assks the kernel to do this. With this request the process offers, among other things, the access bits it wants to be attached to the file (the rwxrwxrwx bits). The kernel then uses the umask to remove (never add) thosse bits mentioned in the umask.
E.g. when the process thinks fit to create a file with rw-rw-r–, but the umask is 077, the kernel will make it rw-------.
The setting of a restrictive umask as default for new (when you decide for this policy in time, for all) users may help a little bit to enforce a specific security rule a company wants it’s employees to follow. But it is easy to circumvente because the individual user can:
a) set anothert umask in his .profile;
b) type an umask statement at every opportunity;
c) can chmod all his files.
And s a personal note: one of the first things I allways did in getting a userid on a Unix system was puting umask 077 in my profile. I only set group and world access when needed (and approved by myself rotfl! ).
What i discovered too: The umask-setting for new users in yast simply leads to a home-directory with drwx------ for new users, but umask is still 022 then. Is that the intended behaviour ?
After encountering the same problem as far as I can determine the /etc/login.defs umask variable is the correct system-wide place to set the umask for when a user logs in.
