Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 14 Aug 2003 11:19:47 -0700
From:      Joshua Oreman <oremanj@get-linux.org>
To:        Antoine Jacoutot <ajacoutot@lphp.org>
Cc:        questions@freebsd.org
Subject:   Re: umask
Message-ID:  <20030814181947.GC8728@webserver>
In-Reply-To: <200308141542.40587.ajacoutot@lphp.org>
References:  <200308141542.40587.ajacoutot@lphp.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Aug 14, 2003 at 03:42:37PM +0200 or thereabouts, Antoine Jacoutot wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi !
> 
> In my way to learn security under FreeBSD, I was wondering if a umask of "066" 
> in login.conf was a good or bad idea ?
> Any thoughs ?
> I mean at first, I can't seem to find why this could be wrong, but I'm sure 
> there's a reason why the default umask is set to 022.

066 will be *more* secure than 022.

This is because a umask is deducted from the default permission bits of 666 (or 777
for executables) on new files. So a umask of 022 will cause new files to have a mode
of 600 or 711.

Here are some good (and not-so-good) umasks, in order of least- to most-secure:
* 000  (666 or 777 -- PLEASE DO NOT USE)
* 022  (644 or 755 -- default)
* 027  (640 or 750 -- pretty good)
* 077  (600 or 700 -- most secure)

Usually people don't do umasks with a 6 because this can leave *only* executable bits
on some parts of the mode; this is not very useful.

-- Josh

> 
> Thanks in advance.
> 
> - -- 
> Antoine Jacoutot
> ajacoutot@lphp.org
> http://www.lphp.org
> PGP/GnuPG key: http://www.lphp.org/ressources/ajacoutot.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (FreeBSD)
> 
> iD8DBQE/O5HQY3Hnhkr+5cQRArBzAJ0augtR1of8PZp4jES/0951LNtUZQCfQCjb
> go6GiRqK403T0rbU6fjhCdA=
> =pb9d
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030814181947.GC8728>