Umask 077

Signed-off-by: tommytran732 <contact@tommytran.io>

content/os/Linux-Desktop-Hardening.md

@@ -152,6 +152,13 @@ Another option is [Kata containers](https://katacontainers.io/), where virtual m
 
 ![opensuse-computer.jpg](/images/opensuse-computer.jpg)
 
+### Umask 077
+If you are not using openSUSE, consider changing the default [umask](https://en.wikipedia.org/wiki/Umask) for both regular user accounts and root to 077. Changing umask to 077 can break snapper on openSUSE and is **not** recommended.
+
+The configuration for this varies per distribution, but typically it can be set in `/etc/profile`, `/etc/bashrc`, or `/etc/login.defs`.
+
+Note that unlike on macOS, this will only change the umask for the shell. Files created by running applications will not have their permissions set to 700.
+
 ### Firewalls
 
 A [firewall](https://en.wikipedia.org/wiki/Firewall_(computing)) may be used to secure connections to your system.
@@ -238,10 +245,6 @@ The [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) f
 
 If you are using Whonix, Kicksecure or the AUR package, consider setting up `LD_PRELOAD` as described in the [Kicksecure Documentation](https://www.kicksecure.com/wiki/Hardened_Malloc) or [Arch Wiki](https://wiki.archlinux.org/title/Security#Hardened_malloc).
 
-### Strict UMASK
-
-If you are not using openSUSE, consider changing the default [umask](https://en.wikipedia.org/wiki/Umask) for both regular user accounts and root to 077. Changing umask to 077 can break snapper on openSUSE and is **not** recommended.
-
 ### Mountpoint Hardening
 
 Consider adding the [following options](https://man7.org/linux/man-pages/man8/mount.8.html) `nodev`, `noexec`, and `nosuid` to mountpoints which do not need them. Typically, these could be applied to `/boot`, `/boot/efi`, and `/var`.