Revise umask in /etc/init.d/functions to use 027

Latest response

As part of our configuration standard, we restrict user accounts to a 027 umask (by way of /etc/profile.d). Daemons and boot-time processes that source /etc/init.d/functions, however, get a more permissive umask of 022.

 

NIST recommends setting the daemon umask to 027 (REHL5: http://nvd.nist.gov/scap/content/stylesheet/scap-rhel5-document.htm).

 

I would like to see the more restrictive umask used by default.

 

Failing that, I would like to see a way (via /etc/sysconfig ?) to allow the administrator to define the system umask without having to edit /etc/init.d/functions.  That file (correctly) is not identified by RPM as a configuration file, so any local changes to that file will get clobbered the next time the initscripts package is updated.

Responses

Thanks for the feedback, Scott.

I have found, to my cost, a way of ensuring the umask changes to /etc/init.d/functions stay in place.

 

We use Puppet to manage configuration, and as soon as the initscripts package is updated, the file bucket notices a change and overwrites with our edited version.  downside is that it completely replaces the file, so we're currently left with a bit of a problem.  Augeas wasn't around at the time to make single-line changes.  It might not even be the right tool to change umask here.

 

+1 for any idea that doesn't involve editing /etc/init.d/functions though.

 

P.S. This would be valuable for older versions of RHEL, not just 7.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.