oremanj at get-linux.org
Thu Aug 14 11:18:21 PDT 2003
On Thu, Aug 14, 2003 at 03:42:37PM +0200 or thereabouts, Antoine Jacoutot wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Hi !
> In my way to learn security under FreeBSD, I was wondering if a umask of "066"
> in login.conf was a good or bad idea ?
> Any thoughs ?
> I mean at first, I can't seem to find why this could be wrong, but I'm sure
> there's a reason why the default umask is set to 022.
066 will be *more* secure than 022.
This is because a umask is deducted from the default permission bits of 666 (or 777
for executables) on new files. So a umask of 022 will cause new files to have a mode
of 600 or 711.
Here are some good (and not-so-good) umasks, in order of least- to most-secure:
* 000 (666 or 777 -- PLEASE DO NOT USE)
* 022 (644 or 755 -- default)
* 027 (640 or 750 -- pretty good)
* 077 (600 or 700 -- most secure)
Usually people don't do umasks with a 6 because this can leave *only* executable bits
on some parts of the mode; this is not very useful.
> Thanks in advance.
> - --
> Antoine Jacoutot
> ajacoutot at lphp.org
> PGP/GnuPG key: http://www.lphp.org/ressources/ajacoutot.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (FreeBSD)
> -----END PGP SIGNATURE-----
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions