2.1 Ensure the file permissions mask is correct

Information

Files are always created using a default set of permissions. File permissions can be restricted by applying a permissions mask called the umask. The postgres user account should use a umask of 0077 to deny file access to all user accounts except the owner.

Rationale:

The Linux OS defaults the umask to 0022, which means the owner and primary group can read and write the file, and other accounts are permitted to read the file. Not explicitly setting the umask to a value as restrictive as 0077 allows other users to read, write, or even execute files and scripts created by the postgres user account. The alternative to using a umask is explicitly updating file permissions after file creation using the command line utility chmod (a manual and error-prone process that is not advised).

Solution

Depending upon the postgres user's environment, the umask is typically set in the initialization file .bash_profile, but may also be set in .profile or .bashrc. To set the umask, add the following to the appropriate profile file:

# whoami
postgres
# cd ~
# ls -ld .{bash_profile,profile,bashrc}
ls: cannot access .profile: No such file or directory
ls: cannot access .bashrc: No such file or directory
-rwx------. 1 postgres postgres 267 Aug 14 12:59 .bash_profile
# echo 'umask 077' >> .bash_profile
# source .bash_profile
# umask
0077

Default Value:

0022

See Also

https://workbench.cisecurity.org/benchmarks/15126

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 9baf2cd98fb9b4e787f04062bdab887e09e7abc0799414b20bef99cd3417be12