In all Unix systems does [umask 077] mean read and write permission
for user and no permissions for group and others? Why is it in several
files (.login, .zlogin, .zshrc)?
No. umask 077 means "remove any group read, write, execute or other read, write,Quote:>Hi!
>In all Unix systems does [umask 077] mean read and write permission
>for user and no permissions for group and others?
Because these files are executed by various login procedures, and the sysadm isQuote:> Why is it in several
>files (.login, .zlogin, .zshrc)?
IT Consultant, Enterprise Technology Solutions
Toronto Dominion Bank Financial Group
(Opinions expressed are my own, not my employers')
No. umask is used to deny permissions.Quote:> Hi!
> In all Unix systems does [umask 077] mean read and write permission
> for user and no permissions for group and others? Why is it in several
> files (.login, .zlogin, .zshrc)?
umask 0777 states that read-write-execute permissions are to be denied to
the owner's group and everyone-else
Winnipeg, Manitoba, Canada
I am not a sysadmin, but I am helping to administer a lab consisting primarily
of HP and Sun workstations (hp-ux 9.05, solaris 5.5).
We have been handed a security protocol document instructing that there is
an unreasonable security risk involved in allowing users access to the umask and
chmod commands, and that henceforth the umask for all users shall be 027 and
neither umask nor chmod will be accessible to users, and that in the future
all file protection changes must be authorized in advance by a security person.
Such authorizations would typically take at least half a day.
Naturally, the lab users are going ballistic. We have a development lab, and
chmod is among the more frequently used commands, whether to change protection
on scripts, load files from tapes or ftp, put items on our intranet web server,
share files, restrict files, etc. umask is mostly a convenience, some users
already use 027 for everything, and others use 002. Depends on projects and
tools being used.
The decree is not cast in stone, it's just written by clueless people.
I have a few questions (may be obvious, but I'm asking anyway), please answer
1. Are there any good tools/aliases which will provide users with the necessary
functionality while also providing a log/audit trail?
2. Are there any instances of serious security breaches as a result of user
misuse of either of those commands? Obviously, a umask of 000 tends not to be
a good idea for most labs, but an example or two might be nice (or anything
which can show that the risk is minimal).
By the way, if anyone reading this is in a lab with similar restrictions, could
you please comment on the impact of those restrictions?
Thanks for any information.
6. web server
12. umask in ftpd