Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-05-08 08:55:11 -04:00
Code Issues Projects Releases Packages Wiki Activity

readme

Browse source
This commit is contained in:
Patrick Schleizer 2024-12-31 06:14:29 -05:00
parent 397b476a82
commit 0640964c35
No known key found for this signature in database
GPG key ID: CB8D50BB77BB3C48
1 changed files with 15 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

28
README.md
View file

@ -584,28 +584,30 @@ See:
#### umask #### umask
Default `umask` is set to `027` for files created by non-root users such as The default `umask` is set to `027` for files created by non-root users, such
user `user`. as the account `user`.
This is done using the PAM module `pam_mkhomedir.so umask=027`. This is done using the PAM module `pam_mkhomedir.so umask=027`.
This means files created by non-root users cannot be read by other non-root This configuration ensures that files created by non-root users cannot be read
users by default. While Permission Lockdown already protects the `/home` folder, by other non-root users by default. While Permission Lockdown already protects
this protects other folders such as `/tmp`. the `/home` folder, this setting extends protection to other folders such as
`/tmp`.
`group` read permissions are not removed. This is unnecessary due to Debian's `group` read permissions are not removed. This is unnecessary due to Debian's
use of User Private Groups (UPGs). See also: use of User Private Groups (UPGs). See also:
https://wiki.debian.org/UserPrivateGroups https://wiki.debian.org/UserPrivateGroups
Default `umask` is unchanged for root because then configuration files created The default `umask` is unchanged for root because configuration files created
in `/etc` by the system administrator would be unreadable by "others" and break in `/etc` by the system administrator would otherwise be unreadable by
applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`. The "others," potentially breaking applications. Examples include `/etc/firefox-esr`
`umask` is also set to 022 via `sudoers` configuration, so that files created and `/etc/thunderbird`. Additionally, the `umask` is set to `022` via `sudoers`
as root are world-readable even when using commands such as `sudo vi configuration, ensuring that files created as root are world-readable, even
/etc/file` or `sudo -i; touch /etc/file`. when using commands such as `sudo vi /etc/file` or `sudo -i; touch /etc/file`.
`umask` is set to 022 rather than 027 when using `sudo`, so that commands such When using `sudo`, the `umask` is set to `022` rather than `027` to ensure
as `sudo vi /etc/configfile` and `sudo -i; touch /etc/file` compatibility with commands such as `sudo vi /etc/configfile` and
`sudo -i; touch /etc/file`.
See: See: