diff --git a/debian/control b/debian/control index 44d4c99..3add1d0 100644 --- a/debian/control +++ b/debian/control @@ -146,7 +146,7 @@ Description: enhances misc security settings . access rights restrictions: . - * The default umask is changed to 006. This allows only the owner and group + * The default umask is changed to 027. This allows only the owner and group to read and write to newly created files. /etc/login.defs.security-misc /usr/share/pam-configs/usergroups-security-misc @@ -157,8 +157,8 @@ Description: enhances misc security settings https://wiki.debian.org/UserPrivateGroups /usr/share/pam-configs/usergroups-security-misc . - * Create home directory on login with umask 006 using - pam_mkhomedir.so umask=006 + * Create home directory on login with umask 027 using + pam_mkhomedir.so umask=027 /usr/share/pam-configs/mkhomedir-security-misc . * Removes read, write and execute access for others for all users who have diff --git a/etc/login.defs.security-misc b/etc/login.defs.security-misc index 8a95443..ae4c173 100644 --- a/etc/login.defs.security-misc +++ b/etc/login.defs.security-misc @@ -44,7 +44,7 @@ FAILLOG_ENAB yes # # Enable display of unknown usernames when login failures are recorded. # -# WARNING: Unknown usernames may become world readable. +# WARNING: Unknown usernames may become world readable. # See #290803 and #298773 for details about how this could become a security # concern LOG_UNKFAIL_ENAB no @@ -117,7 +117,7 @@ ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games # However, the default and recommended value for TTYPERM is still 0600 # to not allow anyone to write to anyone else console or terminal -# Users can still allow other people to write them by issuing +# Users can still allow other people to write them by issuing # the "mesg y" command. TTYGROUP tty @@ -131,7 +131,7 @@ TTYPERM 0600 # UMASK Default "umask" value. # # The ERASECHAR and KILLCHAR are used only on System V machines. -# +# # UMASK is the default umask value for pam_umask and is used by # useradd and newusers to set the mode of the new home directories. # 022 is the "historical" value in Debian for UMASK @@ -148,7 +148,7 @@ TTYPERM 0600 # ERASECHAR 0177 KILLCHAR 025 -UMASK 006 +UMASK 027 # # Password aging controls: @@ -197,7 +197,7 @@ LOGIN_TIMEOUT 60 # any combination of letters "frwh" (full name, room number, work # phone, home phone). If not defined, no changes are allowed. # For backward compatibility, "yes" = "rwh" and "no" = "frwh". -# +# CHFN_RESTRICT rwh # diff --git a/etc/sudoers.d/umask-security-misc b/etc/sudoers.d/umask-security-misc index f06188d..76ae15a 100644 --- a/etc/sudoers.d/umask-security-misc +++ b/etc/sudoers.d/umask-security-misc @@ -1,5 +1,5 @@ ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -Defaults umask = 006 +Defaults umask = 027 Defaults umask_override diff --git a/usr/share/pam-configs/mkhomedir-security-misc b/usr/share/pam-configs/mkhomedir-security-misc index 7e87e21..326013c 100644 --- a/usr/share/pam-configs/mkhomedir-security-misc +++ b/usr/share/pam-configs/mkhomedir-security-misc @@ -4,4 +4,4 @@ Priority: 100 Session-Type: Additional Session-Interactive-Only: yes Session: - optional pam_mkhomedir.so umask=006 + optional pam_mkhomedir.so umask=027 diff --git a/usr/share/pam-configs/usergroups-security-misc b/usr/share/pam-configs/usergroups-security-misc index a613a24..993e999 100644 --- a/usr/share/pam-configs/usergroups-security-misc +++ b/usr/share/pam-configs/usergroups-security-misc @@ -1,6 +1,6 @@ -Name: change default umask to 006 (by package security-misc) +Name: change default umask to 027 (by package security-misc) Default: yes Priority: 256 Session-Type: Additional Session: - optional pam_umask.so usergroups umask=006 + optional pam_umask.so usergroups umask=027