Package: general
Severity: wishlist
Feature request:
Change Debian's default umask to a more secure value such as umask 0077.
Why?
Quote Securing Debian Manual [1]
> Debian's default umask setting is 022 this means that files (and
directories) can be read and accessed by the user's group and by any
other users in the system. This definition is set in the standard
configuration file /etc/profile which is used by all shells.
> If Debian's default value is too permissive for your system you will
have to change the umask setting for all the shells. More restrictive
umask settings include 027 (no access is allowed to new files for the
other group, i.e. to other users in the system) or 077 (no access is
allowed to new files to the members the user's group).
> Finally, you should consider changing root's default 022 umask (as
defined in /root/.bashrc) to a more strict umask. That will prevent the
system administrator from inadvertenly dropping sensitive files when
working as root to world-readable directories (such as /tmp) and having
them available for your average user.
Would that be reasonable change Debian's default umask to a more secure
value such as umask 0077 or do you expect any breakage, would that be
manageable?
Cheers,
Patrick
[1]
https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#id-1.5.14.19
