Manage the default UNIX license with adduser and umask

Network administration - The most important point in the process of securing file-level confidentiality on UNIX systems is to limit the file access license to the extent possible without affecting the necessary tasks of the system, At the same time, it does not interfere with users accessing the file according to the necessary method.

In general, UNIX and LINUX system administrators need to ensure that the owner of a file (Owner) will have full control over the file and will not grant access to any user by default. Any other. Doing so will reduce the problems encountered when administering the system without having to perform more complicated tasks to automate the process of granting default licenses to new files.

Configure the default license of the home directory

First, the permissions for a user's home directory can be granted when that user is created with the adduser command. For example, in FreeBSD, we can grant initial licenses to a new user's home directory using the -M option with the adduser command. Therefore, if you want to create a user account with the home directory permissions set to 750 , we need to run the following command:

adduser –M 750

In Ubuntu Linux, to issue the same license, we must edit the DIR_MODE line in the /etc/adduser.conf file, then this line will be changed to:

DIR_MODE = 0750

The /etc/adduser.conf file can be used to configure the home directory's default license for user accounts via administrative tools on FreeBSD systems as well as Ubuntu Linux systems, however The –M option of the adduser command will allow the default license in /etc/adduser.conf to be overwritten when running the adduser command.

When the default license for a user's home directory is granted, that user's home directory will be inviolable whether browsing or viewing for all accounts without root privileges, except The account owns this directory and the accounts belong to the default group of that account. In addition, this default license will not allow deleting this home directory, even other accounts in the default group of licensed user accounts. Once the home directory has been created, we still need to automate the default licensing process for additional files created by that account.

Configure the default mask of the file license

File Creation Mask (FCM) can help automate file-level security policies by using a limited set of default file permissions when new files are created. The command is often used for FCM in UNIX and UNIX systems, umask (abbreviated from user mask). In POSIX-standard operating systems, every process has a user mask to limit the modes for the files it creates. The umask command will specify unauthorized permissions. UNIX-style systems also use the umask command to install the umask for a utility.

This command can be improved to affect any operating process in the context of a user login utility. We can apply this umask to every user account on a system by specifying an default umask in a default utility configuration file of the system. For example, in most Linux distributions, bash is the default utility, the bash configuration file will be / etc / profile or / etc / bashrc . For BSD Unix systems, the default utilities are part of the C utility group, such as csh and tcsh , and the configuration files of these utilities will be /etc/login.conf .

In FreeBSD, by default, the corresponding line in this configuration file will be:

: umask = 022:

Because this is a mask that blocks a set of device licenses, we need to consider them as licenses that are excluded from the default licenses that a file might have. For example, when a process with umask tries to create a file with a 775 license, it will complete with the 755 license group because the license has a value of 2 (Write - write license) has been blocked with the Group object. as a default file access license. Since files outside the directory are usually not executable files, however, licenses 1 (Execute) are always ignored by creating an installation umask 022 to assign licenses 644 to files outside the directory when created, while files in the directory will be created with the license group 755 .

A umask that is better suited for security purposes will be umask that helps to block license group certificates valued at more than 750, configured in the etc / login.conf file by changing the value of umask to:

: umask = 027:

Meanwhile, on Ubuntu Linux systems, the default value of umask in etc / profile will be:

umask 022

To automate file creation licenses to prevent them from exceeding 750 we need to change this line to:

umask 027

Also users can install a different value for the file license. For example, if a user creates a file, then wants to grant 777 license, then the chmod command can be used with the following syntax:

chmod 777 [name_file]

The default umask configuration of this utility will not prevent users from making changes to the license, but it only sets default values ​​for specific license groups when the file is created.

Default license policy

The default license policy (Default Permission Policy) applied to each system will depend on the needs of each user. As mentioned in the article Understanding basic file access licenses in UNIX , there is a simple but quite effective rule to enhance file-level access security:

The most important aspect of the file-level security process on UNIX systems is to limit the file access license to the extent possible without affecting the necessary tasks of the system, without causing hinder access to files according to the necessary method.