What are the cons, for having a restrictive umask of 077? A lot of distros (I believe all, except Red Hat? ) have a default umask of 022, configured in /etc/profile. This seems way too insecure for a non-desktop system, which multiple users are accessing, and security is of concern.
On a related note, on Ubuntu, the users' home directories are also created with 755 permissions, and the installer states that this is for making it easier for users to share files. Assuming that users' are comfortable setting permissions by hand to make files shared, this is not a problem.
What other downsides are there?
Best Answer
022 makes things convenient. 077 makes things less convenient, but depending on the circumstances and usage profile, it might not be any less convenient than having to use
sudo
.I would argue that, like
sudo
, the actual, measurable security benefit you gain from this is negligible compared to the level of pain you inflict on yourself and your users. As a consultant, I have been scorned for my views onsudo
and challenged to break numeroussudo
setups, and I have yet to take more than 15 seconds to do so. Your call.Knowing about
umask
is good, but it's just a single Corn Flake in the "complete breakfast". Maybe you should be asking yourself "Before I go mucking with default configs, the consistency of which will need to be maintained across installs, and which will need to be documented and justified to people who aren't dim-witted, what's this gonna buy me?"Umask is also a bash built-in that is settable by individual users in their shell initialization files (
~/.bash*
), so you're not really able to easily enforce theumask
. It's just a default. In other words, it's not buying you much.