5.4.5 Ensure default user umask is configured

Information

The user file-creation mode mask ( umask ) is used to determine the file permission for newly created directories and files. In Linux, the default permissions for any newly created directory is 0777 (rwxrwxrwx), and for any newly created file it is 0666 (rw-rw-rw-). The umask modifies the default Linux permissions by restricting (masking) these permissions. The umask is not simply subtracted, but is processed bitwise. Bits set in the umask are cleared in the resulting file mode.

- The user creating the directories or files has the discretion of changing the permissions by:
- Issuing the chmod command
- Choosing a different default umask
- Adding the umask command into a User Shell Configuration File (bash_profile orbashrc ), in their home directory

- The permissions listed are not masked by umask ie a umask set by umask u=rwx,g=rx,o= is the Symbolic equivalent of the Octal umask 027 This umask would set a newly created directory with file mode drwxr-x--- and a newly created file with file mode rw-r-----
- umask can be set with either octal or Symbolic values:
- Octal (Numeric) Value - Represented by either three or four digits. ie umask 0027 or umask 027 If a four digit umask is used, the first digit is ignored. The remaining three digits effect the resulting permissions for user, group, and world/other respectively.
- Symbolic Value - Represented by a comma separated list for User u group g and world/other o

System Wide Shell Configuration Files:

- /etc/profile - used to set system wide environmental variables on users shells. The variables are sometimes the same ones that are in thebash_profile however this file is used to set an initial PATH or PS1 for all shell users of the system. is only executed for interactive

login

shells, or shells executed with the --login parameter.
- /etc/profile.d - /etc/profile will execute the scripts within /etc/profile.d/*.sh It is recommended to place your configuration in a shell script within /etc/profile.d to set your own system wide environmental variables.
- /etc/bash.bashrc - System wide version ofbashrc etc/bashrc also invokes /etc/profile.d/*.sh if

non-login

shell, but redirects output to /dev/null if

non-interactive.

Is only executed for

interactive

shells or if BASH_ENV is set to /etc/bashrc

User Shell Configuration Files:

- ~/.bash_profile - Is executed to configure your shell before the initial command prompt. Is only read by login shells.
- ~/.bashrc - Is executed for interactive shells. only read by a shell that's both interactive and non-login

Setting a secure default value for umask ensures that users make a conscious choice about their file permissions. A permissive umask value could result in directories or files with excessive permissions that can be read and/or written to by unauthorized users.

Notes:

-

The audit and remediation in this recommendation apply to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked.

-

Other methods of setting a default user umask exist.

-

If other methods are in use in your environment they should be audited and the shell configs should be verified to not override.

Solution

Configure umask in

one

of the following locations:

- /etc/login.defs -

Recommended

- A file ending insh in the /etc/profile.d/ directory
- /etc/default/login
- /etc/profile.local
- /etc/profile -

This is not recommended, may be updated/overwritten by YaST2 Online Update

Example:

edit /etc/login.defs and add or modify the UMASK line.

UMASK 027

Review files ending insh in the /etc/profile.d/ directory, and the files; /etc/bash.bashrc /etc/profile and /etc/profile.local Remove or edit all umask entries to follow local site policy. Any remaining entries should be: umask 027 umask u=rwx,g=rx,o= or more restrictive.

See Also

https://workbench.cisecurity.org/benchmarks/8498