5.4.2.6 Ensure root user umask is configured

Information

The user file-creation mode mask ( umask ) is used to determine the file permission for newly created directories and files. In Linux, the default permissions for any newly created directory is 0777 ( rwxrwxrwx ), and for any newly created file it is 0666 ( rw-rw-rw- ). The umask modifies the default Linux permissions by restricting (masking) these permissions. The umask is not simply subtracted, but is processed bitwise. Bits set in the umask are cleared in the resulting file mode.

umask can be set with either Octal or Symbolic values:

- Octal (Numeric) Value - Represented by either three or four digits. ie umask 0027 or umask 027 If a four digit umask is used, the first digit is ignored. The remaining three digits effect the resulting permissions for user, group, and world/other respectively.
- Symbolic Value - Represented by a comma separated list for User u group g and world/other o The permissions listed are not masked by umask ie a umask set by umask u=rwx,g=rx,o= is the Symbolic equivalent of the Octal umask 027 This umask would set a newly created directory with file mode drwxr-x--- and a newly created file with file mode rw-r-----

root user Shell Configuration Files:

- /root/.bash_profile - Is executed to configure the root users' shell before the initial command prompt. Is only read by login shells.
- /root/.bashrc - Is executed for interactive shells. only read by a shell that's both interactive and non-login

umask is set by order of precedence. If umask is set in multiple locations, this order of precedence will determine the system's default umask

Order of precedence:

- /root/.bash_profile
- /root/.bashrc
- The system default umask

Setting a secure value for umask ensures that users make a conscious choice about their file permissions. A permissive umask value could result in directories or files with excessive permissions that can be read and/or written to by unauthorized users.

Solution

Edit /root/.bash_profile and /root/.bashrc and remove, comment out, or update any line with umask to be 0027 or more restrictive.

See Also

https://workbench.cisecurity.org/benchmarks/17074

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 3a563b22a4acf891ae49af9030f54e8f1e186ba5f4dd0f5fcefe3b5a3e089fd4