Debian default umask.
umask 022
touch uuu
ls -la uuu
-rw-r–r-- 1 user user 0 Aug 17 09:22 uuu
Currently security.misc changes to 006.
umask 0006
touch abc
ls -la abc
-rw-rw---- 1 user user 0 Aug 17 09:23 abc
While we harden, while we remove others from reading files, we also relax permissions. We allow group members to write to files where they previously did not have write access. This looked ok due to UPG.
However, upon reflection, since we change this system wide, this may be a bad idea.
Some folders/files created by the system/packages are created with a different group. I.e. owner might be root but group might be shadow, pip or otherwise.
Examples:
ls -la /etc/cups/subscriptions.conf
-rw-r----- 1 root lp 93 Jul 19 09:40 /etc/cups/subscriptions.conf
sudo ls -la /etc/ssl/private/ssl-cert-snakeoil.key
-rw-r----- 1 root ssl-cert 1704 Mar 27 2018 /etc/ssl/private/ssl-cert-snakeoil.key
Therefore our hardening attempts might result in actually relaxing write access for group when the group is different than the owner. Debian packages might keep care of the required umask but there might also be bugs.
Similar bugs (which were about too much hardened rather than too relaxed permissions) reported above (command-not-found).
Therefore I am planning on changing default umask yet again.
umask 027
touch test2
ls -al test2
-rw-r----- 1 user user 0 Aug 17 09:26 test2
Thereby we would harden permissions, i.e. others cannot read files but we also don’t relax any permissions (as previously allow group to write).