Is there any security concerns if the umask is set to 027 for root (Basically I want to know if 027 is better in security than 022 ) ?
As per my understanding 027 is a better one from security perspective . But I want to confirm this point .
Asked
Active
Viewed 1.0k times
1 Answers
2
027 is better from security perspective.
Even better is to use 077 for root.
With 027 mask, when root creates a file, it can be read and executed by users who belongs to the group of the file.
With 077 mask, only root can read write and execute files.
Why is 077 better?
- because by making files belonging to user readeable by root only, it avoids some common system administrator mistakes.
- because it's harder for an attacker to run privilege escalation only poorly written shell scripts/binaries if they can't even read it.
bgtvfr
- 1,262
- 10
- 20
-
Yes, 077 is more secure, but also more likely to break things (e.g. when access is allowed via groups like with nginx + php-fpm). So 027 is said to be best for security + usability. But 077 wasn't even asked for in the question. – archygriswald Jun 03 '23 at 07:55