Lunar ISO, security - umask change.

Zbigniew Luszpinski zbiggy at o2.pl
Wed Jun 6 11:42:20 CEST 2007


Tuesday 05 of June 2007 23:53:05 Zbigniew Luszpinski wrote:
> Hello,
>
> I think it would be more secure to change default umask from 022 to 077 for
> every normal user by default. It would be a matter of modifying umask in
> ~/.bash_profile

Currently testing /home/*/.bashrc
After logout-login everything seems fine.
All apps seems to be working including KDE, OpenOffice, firefox, seamonkey.
So far I find umask 077 for /home/*/.bashrc to be fully safe and more secure.

> Further consideration and testing could cover:
> -root account
> -/etc/bashrc
> -/etc/profile (except fstab, mtab)
> -other files in /etc/

I have just realised all lined apps would have root access only.
This is definitely not what we want. Forget about this.
Most files and dirs on system (if not all) are owned by root but allowed to be 
read and executed by normal users . If umask 077 would be set for root normal 
users could neither run system-wide apps nor enter system-wide directories. 
Now it is 755 which is safe and optimal for everyone.

have a nice day,
Zbigniew Luszpinski


More information about the Lunar-dev mailing list