I have just started using Lynis (please don't think I have misspelled Linux). After running it, I was suggested to set umask in /etc/login.defs and /etc/init.d/rc to 027 than the default 022.
I want to know what changes that would make to file permissions. Also why is the value stored in two files? Do they work differently?
For more info if necessary, I use Ubuntu 12.10, and I am the only user of the system.
The 027 umask setting means that the owning group would be allowed to read the newly-created files as well. This moves the permission granting model a little further from dealing with permission bits and bases it on group ownership.
This will create directories with permission 750.
Please check this great article 027 umask — a compromise between security and simplicity.
To quote ArchWiki:
The umask utility is used to control the file-creation mode mask, which determines the initial value of file permission bits for newly created files.
The three octal numbers correspond to permissions for user, group, and other. By changing the third number from 2 to 7, the other permission is changed.
To understand these numbers, write them in binary form, and each bit corresponds to one of read, write, and execute. In short, 2 corresponds to write; 7 corresponds to read, write and execute. Directories are kind of different, read means to get the list of items(files and directories) within a directory, while execute means to access those items provided their names are known.
To be exact, mode masks decide which permissions are masked, or removed from newly-created files by default. So a mask value of 2 means to make files not writable; 7 means to remove all permissions. Note that even if some permissions are not removed by mode mask, they may be unavailable because of other restrictions. For instance, Linux does not allow files to be created with execution permissions, so they will never be executable by default.
So to answer the first question: 022 means write permission is masked for other, so by default files can be read but not written to or modified by others. Though the execute permission is not masked, others won't be able to execute files because of the restrictions mentioned above; however, they may be able to access items with directories. Change it to 027, and read and execute are also masked. So newly-created files and directories are kept private from others; items within newly-created directories will always be inaccessible to others.
In many cases, there is only one human user. However, there are usually several system users used to run services, such as nobody. In some rare cases, for example when a program running as nobody gets compromised, restrictive permissions may prevent it from reading sensitive data.
However, in a multi-user environment, sharing a file becomes more involved: in addition to setting the permissions on the file, at least the execute permission needs to be set on all parent directories.
As for the second question, the mode mask need to be set only once. If it's set multiple times, the last one matters. Most distributions set the default mode mask in /etc/profile, so I'd suggest editing this file.
