0

Most VPS have a team of 1+ user(s) that don't do anything but configure the system and work on the web site and/or database. I would assume all the team members would be a group like "developers" so they could all work on files in the web root as needed.

With this in mind, would umask 007 be a much better setting than the default of 022? After all, there shouldn't be any "other/world" users since this machines primary purpose is to serve web pages. All the developers have access and there aren't any "guests" logging in...

Xeoncross
  • 4,449
  • 12
  • 43
  • 56

2 Answers2

1

Yes and no. umask is something that is sometimes good to change. Generally, it is best to "default deny," as in default to the least privileges with most things. You will likely find that if you change the default umask and are not particularly aware of permissions that you may encounter situations where the default permissions prevent things from working.

For example, a PERL module install via CPAN that doesn't set the permissions public readable as part of the install and then later a Web application is unable to read it.

Really, the main benefit of hardening permissions will be seen with a multi-user system. Nevertheless, it is important to be particularly aware of anything that's easily accessible within an Internet accessible daemon.

For hardening, it is often better to take a look at anything SUID or public writable. I find myself verifying permissions and tweaking them to least necessary privileges just as I go about my day. When I change umask it is often for a particular purpose such as with a particular set of users or when files are created programatically.

If you're looking for some "best practices" for your server and general hardening techniques, take a look at Bastille. If I recall correctly, there was something in there that changed the default umask.

Bastille

Warner
  • 23,756
  • 2
  • 59
  • 69
0

This isn't a direct answer, but "best practice" would be to not have multiple accounts working on the web root. Rather, use a version control system (any, doesn't matter for this purpose) and a deployment script to control the web root. This solves your permissions problem and is an absolute pre-requisite to any sort of workload (traffic) or workforce (more developers) scaling.

cagenut
  • 4,848
  • 2
  • 24
  • 29
  • Using git version control is actually how our team members work on the web root. Since one person can't always be there to manage the repository. However, I'm wondering what the "deployment script" you are talking about is. – Xeoncross Mar 25 '10 at 17:22