From owner-freebsd-questions@FreeBSD.ORG Thu Aug 14 11:18:21 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1044937B401 for ; Thu, 14 Aug 2003 11:18:21 -0700 (PDT) Received: from webserver.get-linux.org (adsl-64-161-78-226.dsl.lsan03.pacbell.net [64.161.78.226]) by mx1.FreeBSD.org (Postfix) with SMTP id 5B9F243FA3 for ; Thu, 14 Aug 2003 11:18:20 -0700 (PDT) (envelope-from oremanj@webserver.get-linux.org) Received: (qmail 8860 invoked by uid 1000); 14 Aug 2003 18:19:47 -0000 Date: Thu, 14 Aug 2003 11:19:47 -0700 From: Joshua Oreman To: Antoine Jacoutot Message-ID: <20030814181947.GC8728@webserver> References: <200308141542.40587.ajacoutot@lphp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200308141542.40587.ajacoutot@lphp.org> User-Agent: Mutt/1.4.1i cc: questions@freebsd.org Subject: Re: umask X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Aug 2003 18:18:21 -0000 On Thu, Aug 14, 2003 at 03:42:37PM +0200 or thereabouts, Antoine Jacoutot wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi ! > > In my way to learn security under FreeBSD, I was wondering if a umask of "066" > in login.conf was a good or bad idea ? > Any thoughs ? > I mean at first, I can't seem to find why this could be wrong, but I'm sure > there's a reason why the default umask is set to 022. 066 will be *more* secure than 022. This is because a umask is deducted from the default permission bits of 666 (or 777 for executables) on new files. So a umask of 022 will cause new files to have a mode of 600 or 711. Here are some good (and not-so-good) umasks, in order of least- to most-secure: * 000 (666 or 777 -- PLEASE DO NOT USE) * 022 (644 or 755 -- default) * 027 (640 or 750 -- pretty good) * 077 (600 or 700 -- most secure) Usually people don't do umasks with a 6 because this can leave *only* executable bits on some parts of the mode; this is not very useful. -- Josh > > Thanks in advance. > > - -- > Antoine Jacoutot > ajacoutot@lphp.org > http://www.lphp.org > PGP/GnuPG key: http://www.lphp.org/ressources/ajacoutot.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (FreeBSD) > > iD8DBQE/O5HQY3Hnhkr+5cQRArBzAJ0augtR1of8PZp4jES/0951LNtUZQCfQCjb > go6GiRqK403T0rbU6fjhCdA= > =pb9d > -----END PGP SIGNATURE----- > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"