cd0fad3d88
Changing the default umask causes issues with OpenStack-Ansible deployments in roles where directories are created without a mode specified. It also may surprise some users on non-OpenStack systems who expect the default umask to match the default from the OS. This patch makes the change an opt-in change and it updates the documentation to reflect that. Related-bug: 1656003 Change-Id: I0931a34b1114e3a57e0eb5914124eed589ded541
1.4 KiB
---id: RHEL-07-020230 status: opt-in - Ubuntu only tag: auth ---
The STIG requires that the umask for all authenticated users is
077. This ensures that all new files and directories
created by a user are accessible only by that user.
Although this change has a significant security benefit, it can cause problems for users who are not expecting the change. The security role will not adjust the umask by default.
Deployers can opt-in for the change by setting the default umask with an Ansible variable:
security_shadow_utils_umask: 077Note
Ubuntu uses pam_umask and it uses the default umask
provided by the UMASK line in /etc/login.defs.
The default setting on Ubuntu systems is 022. This allows
the user's group and other users on the system to read and execute
files, but they cannot write to them.
CentOS and Red Hat Enterprise Linux do not use pam_umask
and instead set a default umask of 0002 for regular users
and 0022 for root. This gives the regular user's group full
access to newly created files, but other users cannot write to those
files.
The tasks for this STIG requirement are not currently applied to CentOS and Red Hat Enterprise Linux systems. See Launchpad Bug #1656003 for more details.