umask

Joshua Oreman oremanj at get-linux.org
Thu Aug 14 11:18:21 PDT 2003


On Thu, Aug 14, 2003 at 03:42:37PM +0200 or thereabouts, Antoine Jacoutot wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi !
> 
> In my way to learn security under FreeBSD, I was wondering if a umask of "066" 
> in login.conf was a good or bad idea ?
> Any thoughs ?
> I mean at first, I can't seem to find why this could be wrong, but I'm sure 
> there's a reason why the default umask is set to 022.

066 will be *more* secure than 022.

This is because a umask is deducted from the default permission bits of 666 (or 777
for executables) on new files. So a umask of 022 will cause new files to have a mode
of 600 or 711.

Here are some good (and not-so-good) umasks, in order of least- to most-secure:
* 000  (666 or 777 -- PLEASE DO NOT USE)
* 022  (644 or 755 -- default)
* 027  (640 or 750 -- pretty good)
* 077  (600 or 700 -- most secure)

Usually people don't do umasks with a 6 because this can leave *only* executable bits
on some parts of the mode; this is not very useful.

-- Josh

> 
> Thanks in advance.
> 
> - -- 
> Antoine Jacoutot
> ajacoutot at lphp.org
> http://www.lphp.org
> PGP/GnuPG key: http://www.lphp.org/ressources/ajacoutot.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (FreeBSD)
> 
> iD8DBQE/O5HQY3Hnhkr+5cQRArBzAJ0augtR1of8PZp4jES/0951LNtUZQCfQCjb
> go6GiRqK403T0rbU6fjhCdA=
> =pb9d
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"


More information about the freebsd-questions mailing list