Revise umask in /etc/init.d/functions to use 027

Latest response

As part of our configuration standard, we restrict user accounts to a 027 umask (by way of /etc/profile.d). Daemons and boot-time processes that source /etc/init.d/functions, however, get a more permissive umask of 022.

 

NIST recommends setting the daemon umask to 027 (REHL5: http://nvd.nist.gov/scap/content/stylesheet/scap-rhel5-document.htm).

 

I would like to see the more restrictive umask used by default.

 

Failing that, I would like to see a way (via /etc/sysconfig ?) to allow the administrator to define the system umask without having to edit /etc/init.d/functions.  That file (correctly) is not identified by RPM as a configuration file, so any local changes to that file will get clobbered the next time the initscripts package is updated.

Responses

Thanks for the feedback, Scott.

I have found, to my cost, a way of ensuring the umask changes to /etc/init.d/functions stay in place.

 

We use Puppet to manage configuration, and as soon as the initscripts package is updated, the file bucket notices a change and overwrites with our edited version.  downside is that it completely replaces the file, so we're currently left with a bit of a problem.  Augeas wasn't around at the time to make single-line changes.  It might not even be the right tool to change umask here.

 

+1 for any idea that doesn't involve editing /etc/init.d/functions though.

 

P.S. This would be valuable for older versions of RHEL, not just 7.