4.5.3.3 Ensure default user umask is configured

Information

The user file-creation mode mask ( umask ) is used to determine the file permission for newly created directories and files. In Linux, the default permissions for any newly created directory is 0777 ( rwxrwxrwx ), and for any newly created file it is 0666 ( rw-rw-rw- ). The umask modifies the default Linux permissions by restricting (masking) these permissions. The umask is not simply subtracted, but is processed bitwise. Bits set in the umask are cleared in the resulting file mode.

umask can be set with either Octal or Symbolic values:

- Octal (Numeric) Value - Represented by either three or four digits. ie umask 0027 or umask 027 If a four digit umask is used, the first digit is ignored. The remaining three digits effect the resulting permissions for user, group, and world/other respectively.
- Symbolic Value - Represented by a comma separated list for User u group g and world/other o The permissions listed are not masked by umask ie a umask set by umask u=rwx,g=rx,o= is the Symbolic equivalent of the Octal umask 027 This umask would set a newly created directory with file mode drwxr-x--- and a newly created file with file mode rw-r-----

The default umask can be set to use the pam_umask module or in a System Wide Shell Configuration File The user creating the directories or files has the discretion of changing the permissions via the chmod command, or choosing a different default umask by adding the umask command into a User Shell Configuration File (bash_profile orbashrc ), in their home directory.

Setting the default umask:

- pam_umask module:
- will set the umask according to the system default in /etc/login.defs and user settings, solving the problem of different umask settings with different shells, display managers, remote sessions etc.
- umask=<mask> value in the /etc/login.defs file is interpreted as Octal
- Setting USERGROUPS_ENAB to yes in /etc/login.defs (default):
- will enable setting of the umask group bits to be the same as owner bits. (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is the same as gid and username is the same as the <primary group name>
- userdel will remove the user's group if it contains no more members, and useradd will create by default a group with the name of the user

- System Wide Shell Configuration File :
- /etc/profile - used to set system wide environmental variables on users shells. The variables are sometimes the same ones that are in thebash_profile however this file is used to set an initial PATH or PS1 for all shell users of the system. is only executed for interactive

login

shells, or shells executed with the --login parameter.
- /etc/profile.d - /etc/profile will execute the scripts within /etc/profile.d/*.sh It is recommended to place your configuration in a shell script within /etc/profile.d to set your own system wide environmental variables.
- /etc/bashrc - System wide version ofbashrc In Fedora derived distributions, etc/bashrc also invokes /etc/profile.d/*.sh if

non-login

shell, but redirects output to /dev/null if

non-interactive.

Is only executed for

interactive

shells or if BASH_ENV is set to /etc/bashrc

User Shell Configuration Files:

- ~/.bash_profile - Is executed to configure your shell before the initial command prompt. Is only read by login shells.
- ~/.bashrc - Is executed for interactive shells. only read by a shell that's both interactive and non-login

umask is set by order of precedence. If umask is set in multiple locations, this order of precedence will determine the system's default umask

Order of precedence:

- A file in /etc/profile.d/ ending insh - This will override any other system-wide umask setting
- In the file /etc/profile
- On the pam_umask.so module in /etc/pam.d/postlogin
- In the file /etc/login.defs
- In the file /etc/default/login

Setting a secure default value for umask ensures that users make a conscious choice about their file permissions. A permissive umask value could result in directories or files with excessive permissions that can be read and/or written to by unauthorized users.

Solution

Run the following script and perform the instructions in the output:

#!/usr/bin/env bash

{
l_output="" l_output2="" l_out=""
file_umask_chk()
{
if grep -Psiq -- '^h*umaskh+(0?[0-7][2-7]7|u(=[rwx]{0,3}),g=([rx]{0,2}),o=)(h*#.*)?$' "$l_file"; then
l_out="$l_out
- umask is set correctly in \"$l_file\""
elif grep -Psiq -- '^h*umaskh+(([0-7][0-7][01][0-7]b|[0-7][0-7][0-7][0-6]b)|([0-7][01][0-7]b|[0-7][0-7][0-6]b)|(u=[rwx]{1,3},)?(((g=[rx]?[rx]?w[rx]?[rx]?b)(,o=[rwx]{1,3})?)|((g=[wrx]{1,3},)?o=[wrx]{1,3}b)))' "$l_file"; then
l_output2="$l_output2
- \"$l_file\""
fi
}
while IFS= read -r -d $'0' l_file; do
file_umask_chk
done < <(find /etc/profile.d/ -type f -name '*.sh' -print0)
[ -n "$l_out" ] && l_output="$l_out"
l_file="/etc/profile" && file_umask_chk
l_file="/etc/bashrc" && file_umask_chk
l_file="/etc/bash.bashrc" && file_umask_chk
l_file="/etc/pam.d/postlogin"
if grep -Psiq '^h*sessionh+[^#
r]+h+pam_umask.soh+([^#
r]+h+)?umask=(([0-7][0-7][01][0-7]b|[0-7][0-7][0-7][0-6]b)|([0-7][01][0-7]b))' "$l_file"; then
l_output2="$l_output2
- \"$l_file\""
fi
l_file="/etc/login.defs" && file_umask_chk
l_file="/etc/default/login" && file_umask_chk
if [ -z "$l_output2" ]; then
echo -e " - No files contain a UMASK that is not restrictive enough
No UMASK updates required to existing files"
else
echo -e "
- UMASK is not restrictive enough in the following file(s):$l_output2

- Remediation Procedure:
- Update these files and comment out the UMASK line
or update umask to be \"0027\" or more restrictive"
fi
if [ -n "$l_output" ]; then
echo -e "$l_output"
else
echo -e " - Configure UMASK in a file in the \"/etc/profile.d/\" directory ending in \".sh\"

Example Command (Hash to represent being run at a root prompt):

# printf '%s\
' \"umask 027\" > /etc/profile.d/50-systemwide_umask.sh
"
fi
}

Note:

- This method only applies to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked
- If the pam_umask.so module is going to be used to set umask ensure that it's not being overridden by another setting. Refer to the PAM_UMASK(8) man page for more information

See Also

https://workbench.cisecurity.org/benchmarks/15963

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: a6d700c6c23bf046a30b5403945bbbc20db134346a883dddbc59d2979de04047