Default Access Permissions


When a user creates a file or directory, a permission mask, known as the umask setting, controls the final permissions assigned. The umask is a built-in shell function that removes ("masks out") certain permission bits set by a program. A file or directory ends up with its permission bits as follows: When a file is newly created, the kernel assigns it a permission mode of 666 (rw-rw-rw-), and a directory gets 777 (rwxrwxrwx). But before the permissions are actually set, the umask value is applied. The umask value is specified the same way as chmod: first, the user mask; then, the group mask; finally, all others (the special mode mask is skipped for now). So, if the umask value is 022, the final file permission setting is 644 (rw-r--r--). It is often stated that this is as a result of subtracting the umask value from the default permission setting. While the final result in this example reflects such an assertionand makes it easier to remember the processthe actual mechanics do not work exactly like this. (For example, what if the umask is 027?)

What actually happens is that the requested permission setting (666 in the example) is logically ANDed with the one's complement (that is, it is bit-flipped) of the umask value. Shown in Table 6.5 is the "truth table" for logical AND operations; for example, 0 && 0 results in 0, 1 && 1 results in 1, and so on.

Table 6.5. Logical AND truth Table

&&

0

1

0

0

0

1

0

1


When you're working with logical AND operations, it is easier to work in binary mode. Table 6.6 illustrates how the default permission value of 666 is "masked" by the umask setting of 022.

Table 6.6. Logical AND of One's Complement of umask Values with Default Permissions
 

U

G

O

umask setting of 022

000

010

010

One's complement of the umask value

111

101

101

Default permission of 666

110

110

110

Applying logical AND

---

---

---

Result

110

100

100

Decimal value

6

4

4


As mentioned earlier, what if your umask is 027? The subtraction concept isn't applicable now, is it? The "proper mechanics" discussed here show that the resulting permission setting is 640, as illustrated in Table 6.7.

Table 6.7. File Permission Setting Using a umask of 027
 

U

G

O

umask setting of 027

000

010

111

One's complement of the umask value

111

101

000

Default permission of 666

110

110

110

Applying logical AND

---

---

---

Result

110

100

000

Decimal value

6

4

0


SLES sets the default umask value (022) in /etc/profile. Therefore, when a user starts a shell (such as by logging on to the server), this value is automatically set. Furthermore, a new child process gets the umask value (and other shell information) from its parent process. However, after the process is spawned, it is free to change its shell environment, such as the umask settingand these changes are not propagated back to its parent or other existing child processes. If you want to change your umask, you can include the command umask mask_value in your home directory's .profile or one of the configuration files used by the shell (such as .bashrc) so that it takes effect whenever you log in or start a new shell.

Keep in mind that with a umask of 022, system applications (such as vi and mkdir) will create files with 644 (rw-r--r--) permissions and directories with 755 (rwx-r-xr-x). The world could read (thus copy) the newly created files and directories. This may not be a good idea if you also have guest users from outside your company accessing your server. A better default umask setting is 027. Such a umask would eliminate all world access to any newly created files and directories. You can later selectively make some available to the world using chmod.

CAUTION

Any user or process may set the umask for its shell. So, even if you put in the more restrictive umask 027 in /etc/profile, any user can easily override it with a less restrictive setting. Because umask is a built-in shell function, you cannot easily restrict it from general use; you need to create a custom shell by compiling the modified source code to do that. It is best to educate your users that the more restrictive setting is in everybody's best interest and should not be changed.


SLES includes a number of tools to help you maintain system file and directory permission integrity. For instance, the seccheck (SUSE Security Checker) package can report on executables that are group- and/or world-writable. YaST includes a Local Security Configuration module (Control Center, Security and Users, Security Settings; or yast security from a terminal session) that configures the level of file permissions as Easy, Secure, or Paranoid. And you can use SuSEconfig to set or reset file permissions accordinglyusing specifications according to /etc/permissions.*.



    SUSE LINUX Enterprise Server 9 Administrator's Handbook
    SUSE LINUX Enterprise Server 9 Administrators Handbook
    ISBN: 067232735X
    EAN: 2147483647
    Year: 2003
    Pages: 134

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net