In this post I'll show you what umask is and how to use it to set more appropriate and more restrictive permissions of newly created files on a FreeBSD system with the intention to increase the level of security.
If you have used UNIX you must know about permission system and attributes on field and directories. System permissions are divided to registered users, their associated groups and unauthenticated clients (ie the rest of the world).
Let’s consider ownership of newly created files:
$ touch test.txt $ ls -la test.txt -rw-r—r— 1 vagrant vagrant 0 Jan 28 22:53 test.txt
The example above by default sets the permissions on
-rw-r—r— which means the owner user can read and write, the group can read and the rest of the world can also read the file.
Now you may be thinking that’s fine, but what if your file contains sensitive information? Surely you don’t want anyone to access it.
Instead of having to manually change the file permissions every time or having to pass them in when the files are created, UNIX gives us something that is called a UMASK.
What is umask
Umask is short for user mask. In POSIX-compliant OS environments, every process has a user mask that limits permission modes for files it creates. The umask itself specifies permissions that are disallowed, those are effectively subtractions from the otherwise default permissions a file may have.
The default is FreeBSD is 022. This means when you create a new file, the following permissions are set:
- 0: no permissions from the user ownership will be revoked
- 2: writing and executing will be revoked for groups
- 2: writing and executing will be revoked for others
Remember how our test file had the following permissions:
Setting the default umask
For most users the default 022 umask is just fine, however if you are like me and prefer a little bit of added security, you may want to change this. More appropriate permissions would grant full access to users, limited (read-only) access to groups and no rights for other users.
FreeBSD stores these settings in
/etc/login.conf like below (some additional settings were omitted for clarity):
Pick up your favourite editor and change umask to 027 and save the file. Remember to reload configuration on the system:
$ sudo cap_mkdb /etc/login.conf
NOTE: New umask settings won’t be applied to existing processes, permissions will be changed once your users log back in.
If you log out and log back in, we can test the changes by creating a new file:
$ touch test2.txt $ ls -la test2.txt -rw-r—— 1 vagrant vagrant 0 Jan 28 23:19 test2.txt
As you can see newly created files won’t be readable by unprivileged users (others) any more. Further permission subtractions could be achieved with different values, however I’d advise you to stay within reasonable values and find the right balance between security and convenience. (Your groups probably still need to read files and list directory contents, etc.)
(The post image is made by tigos2 and licensed under a Creative Commons Attribution 3.0 License)
I'm a Ruby/JS dev/trainer with a focus on quality. An ex-Londoner, @terracycle, @ubxd, @lastfm. Follow me at http://twitter.com/attilagyorffy