Post by Penna Ela » Sat, 12 Apr 2003 19:50:28


In all Unix systems does [umask 077] mean read and write permission
for user and no permissions for group and others? Why is it in several
files (.login, .zlogin, .zshrc)?



Post by Lew Pitch » Sat, 12 Apr 2003 20:57:26


>In all Unix systems does [umask 077] mean read and write permission
>for user and no permissions for group and others?

No. umask 077 means "remove any group read, write, execute or other read, write,
execute permissions" on creat()ed files. The umask does not assert permissions,
it removes them.

Quote:> Why is it in several
>files (.login, .zlogin, .zshrc)?

Because these files are executed by various login procedures, and the sysadm is
trying to make sure that the user gets the same starting umask no matter which
login procedure s/he enters the system through.

Lew Pitcher
IT Consultant, Enterprise Technology Solutions
Toronto Dominion Bank Financial Group

(Opinions expressed are my own, not my employers')



Post by Barry Kimelma » Sat, 12 Apr 2003 22:29:59

[This followup was posted to comp.unix.questions]

Quote:> Hi!

> In all Unix systems does [umask 077] mean read and write permission
> for user and no permissions for group and others? Why is it in several
> files (.login, .zlogin, .zshrc)?

No. umask is used to deny permissions.

umask 0777 states that read-write-execute permissions are to be denied to
the owner's group and everyone-else


Barry Kimelman
Winnipeg, Manitoba, Canada


1. question on umask and chmod

I am not a sysadmin, but I am helping to administer a lab consisting primarily
of HP and Sun workstations (hp-ux 9.05, solaris 5.5).

We have been handed a security protocol document instructing that there is
an unreasonable security risk involved in allowing users access to the umask and
chmod commands, and that henceforth the umask for all users shall be 027 and
neither umask nor chmod will be accessible to users, and that in the future
all file protection changes must be authorized in advance by a security person.
Such authorizations would typically take at least half a day.

Naturally, the lab users are going ballistic.  We have a development lab, and
chmod is among the more frequently used commands, whether to change protection
on scripts, load files from tapes or ftp, put items on our intranet web server,
share files, restrict files, etc.  umask is mostly a convenience, some users
already use 027 for everything, and others use 002.  Depends on projects and
tools being used.

The decree is not cast in stone, it's just written by clueless people.
I have a few questions (may be obvious, but I'm asking anyway), please answer
via email:
1.  Are there any good tools/aliases which will provide users with the necessary
functionality while also providing a log/audit trail?
2.  Are there any instances of serious security breaches as a result of user
misuse of either of those commands?  Obviously, a umask of 000 tends not to be
a good idea for most labs, but an example or two might be nice (or anything
which can show that the risk is minimal).

By the way, if anyone reading this is in a lab with similar restrictions, could
you please comment on the impact of those restrictions?

Thanks for any information.

2. IPW2100 install

3. mount quirk for 1.0.9 w/ umask?


5. pcnfsd and umask

6. web server

7. Default generated file permissions - umask

8. Apache + permissions

9. umask setting for ftpd?

10. umask - Solaris 5.8

11. How does a chmod command affect login script path setting and any umask set?

12. umask in ftpd

13. umask 77, mkdir on SunOS (4.0)