Detections
Analytics

5.4.4 Ensure default user umask is 027 or more restrictive - default

Information

The user file-creation mode mask (umask) is use to determine the file permission for newly created directories and files. In Linux, the default permissions for any newly created directory is 0777 (rwxrwxrwx), and for any newly created file it is 0666 (rw-rw-rw-). The umask modifies the default Linux permissions by restricting (masking) these permissions. The umask is not simply subtracted, but is processed bitwise. Bits set in the umask are cleared in the resulting file mode.

umask can be set with either octal or Symbolic values

Octal (Numeric) Value - Represented by either three or four digits. ie umask 0027 or umask 027. If a four digit umask is used, the first digit is ignored. The remaining three digits effect the resulting permissions for user, group, and world/other respectively.

Symbolic Value - Represented by a comma separated list for User u, group g, and world/other o. The permissions listed are not masked by umask. ie a umask set by umask u=rwx,g=rx,o= is the Symbolic equivalent of the Octal umask 027. This umask would set a newly created directory with file mode drwxr-x--- and a newly created file with file mode rw-r-----.

The pam_umask module will set the umask according to the system default in /etc/login.defs and user settings, solving the problem of different umask settings with different shells, display managers, remote sessions etc. The default umask can also be set in a System Wide Shell Configuration File.




System Wide Shell Configuration Files:

/etc/profile - used to set system wide environmental variables on users shells. The variables are sometimes the same ones that are in the .profile, however this file is used to set an initial PATH or PS1 for all shell users of the system. is only executed for interactive login shells, or shells executed with the --login parameter

/etc/profile.d - /etc/profile will execute the scripts within /etc/profile.d/*.sh. It is recommended to place your configuration in a shell script within /etc/profile.d to set your own system wide environmental variables.

/etc/bash.bashrc - System wide version of .bashrc. etc/bashrc also invokes /etc/profile.d/*.sh if non-login shell, but redirects output to /dev/null if non-interactive. Is only executed for interactive shells or if BASH_ENV is set to /etc/bash.bashrc

User Shell Configuration Files:

~/.profile - Is executed to configure your shell before the initial command prompt. Is only read by login shells.

~/.bashrc - Is executed for interactive shells. only read by a shell that's both interactive and non-login

Notes:

umask=<mask> value in the /etc/login.defs file is interpreted as Octal

Other methods of setting a default user umask exist

If other methods are in use in your environment they should be audited

The default user umask can be overridden with a user specific umask

/etc/pam.d/login can be used to set the user specific umask at login

The user creating the directories or files has the discretion of changing the permissions:

Using the chmod command

Setting a different default umask by adding the umask command into a User Shell Configuration File, ( .bash_profile or .bash.bashrc), in their home directory

Manually changing the umask for the duration of a login session by running the umask command

Rationale:

Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system.

Solution

Edit /etc/login.defs and add or edit the UMASK line to read:

UMASK 027

Edit /etc/pam.d/common-session and add or edit the following:

session optional pam_umask.so

Run the following command and remove or modify the umask of any returned files:

# grep -RPi '(^|^[^#]*)s*umasks+([0-7][0-7][01][0-7]b|[0-7][0-7][0-7][0-6]b|[0-7][01][0-7]b|[0-7][0-7][0-6]b|(u=[rwx]{0,3},)?(g=[rwx]{0,3},)?o=[rwx]+b|(u=[rwx]{1,3},)?g=[^rx]{1,3}(,o=[rwx]{0,3})?b)' /etc/login.defs /etc/profile* /etc/bash.bashrc*

Default Value:

UMASK 022

See Also

https://workbench.cisecurity.org/files/2873

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3(4), CSCv6|13, CSCv7|14.6

Plugin: Unix

Control ID: c115860bf15f7ead7b782a480ea2b034c2ee688b98554ce98a3ce23f1466d445