One confusion is with the Umask function and command. Here's a short summary on the subject.
In the Linux and UNIX system, new files and directories are created with a default permission. Keep in mind the following.
- Read - 4
- Write - 2
- Execute - 1
- Files - 666
- Owner - Read, Write
- Group - Read, Write
- Other - Read, Write
- Directories - 777
- Owner - Read, Write, Execute
- Group - Read, Write, Execute
- Other - Read, Write, Execute
The owner is the user account who created the account, the group is the group associated with the file (most times it's the same as the user name), and the other is anyone who is authenticated on the system.
Now the issue is that on a system shared by multiple users, these settings leave little to be secured. How can the Linux system have the files locked down but still allow others access? This is where the command umask comes in. Umask allows the system to follow a default setting of security across the system, sort of a lock down depending upon how secure you want it.
Let's first find out what is the current umask setting.
- From your command prompt, run the following command
- #umask
- You should see a value such as "0022"
For most Linux distributions, the default is 0022. Only the last three values are used, the first "0" is not used. For this detail the settings of umask are as follows.
- umask setting of "0022"
- First "0" - Not used
- Second "0" - Amount to remove from default settings of owner permission
- Third "2" - Amount to remove from default settings of group permission
- Fourth "2" - Amount to remove from default settings of other permission
Sounds confusing but here's how this is calculated.
- umask setting of "0022"
- Files - default is 666
- Owner - 666 - 0 = 666
- Group - 666 - 2 = 664
- Other - 666 - 2 = 664
- Directories - default is 777
- Owner - 777 - 0 = 777
- Group - 777 - 2 = 775
- Other - 777 - 2 = 775
As you can see, the setting of "0022" (more commonly reported as 022 since we drop the first zero since it's not used) will remove permissions for Group and Other. This change is not so impacting but if we wanted we could make the system more secure by using higher amounts of umask. For example, 077 would give only the owner of the files the right to read, write and execute.
Now that we know the basics of the umask command, how can we change this? There's really two methods, one is from the command umask.
- From your command prompt, run the following command
- #umask 0026
- Now create a directory and file
- #mkdir testdir
- #touch testfile
- Let's see if the permissions are different than before
- #ls -l
- You should see the following permissions
- Testdir - 751 (rwx-rx-x)
- Testfile - 640 (rw-r--)
But the change done by umask is not permanent, to do that you need to edit the /etc/profile. You can view the file and find out that there's actually two values given in the file (here we are using CentOS). Why are there two values in the file?
The file script checks for the user account UID, and depending on the number, the user will either receive a umask of 002 or 022. Remember that service accounts are typically UID's under 200, while regular user accounts have UID's starting at 500 (typically). Also root has the UID of 1, so basically the system is giving a less enforced policy for more important accounts.
To view the account UID, in two methods.
- From the command prompt, run the following command
- #id -u useraccount
- Number returned will be your UID
- #cat /etc/passwd
- A full listing of all accounts on the system, showing UID
For more information about umask here are some very good links to read up on.
1 comment:
It should be...
Files - default is 666
Owner - 666 - 0 = 666
Group - 666 - 2 = 646
Other - 666 - 2 = 644
Directories - default is 777
Owner - 777 - 0 = 777
Group - 777 - 2 = 757
Other - 777 - 2 = 755
Post a Comment