HPE Community
Operating System - HP-UX
1754019 Members
7407 Online
108811 Solutions
New Discussion юеВ

Global setting for umask on HP true 64 and HP-UX

 
Willio Jean Paul
New Member

тАО09-25-2006 03:56 AM

тАО09-25-2006 03:56 AM

Global setting for umask on HP true 64 and HP-UX

Is a way to globally set the umask value for the above systems? I am under the impression that umask value for the above systems have to be set by each individual user. Can you someone please clarify or confirm?

Thanks.
0 Kudos
Reply
8 REPLIES 8
IT_2007
Honored Contributor

тАО09-25-2006 03:58 AM

тАО09-25-2006 03:58 AM

Re: Global setting for umask on HP true 64 and HP-UX

you need to set it in /etc/profile.
0 Kudos
Reply
Peter Godron
Honored Contributor

тАО09-25-2006 04:05 AM

тАО09-25-2006 04:05 AM

Re: Global setting for umask on HP true 64 and HP-UX

Hi,
please also remember the little things about umask.
1. The mask is flipped to umask 777 means not read/write/execute to anybody !
2. umask of 000 does NOT grant execute automatically.

See man umask
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО09-25-2006 04:07 AM

тАО09-25-2006 04:07 AM

Re: Global setting for umask on HP true 64 and HP-UX

Setting umask in /etc/profile is the typical approach but that does not take care of everything. For example, processes spawned by rc do not source /etc/profile so an explicit umask setting should be added to /etc/rc.config. Other utilities like the ftp daemon (ftpd) should have arguments which should be added to /etc/inetd.conf.

You should also note that the last umask wins so that setting a umask in /etc/profiles does not guarantee that the user does not change the value in his .profile or in a script. A process can set umask (for that process) multiple times as well.
If it ain't broke, I can fix that.
0 Kudos
Reply
Willio Jean Paul
New Member

тАО09-25-2006 05:46 AM

тАО09-25-2006 05:46 AM

Re: Global setting for umask on HP true 64 and HP-UX

Hello Clay,

Thanks for the info. You mentioned that "setting a umask in /etc/profiles does not guarantee that the user does not change the value in his .profile". Does that mean ".profile" overwrites the value set in the 'etc/profiles'. Also, is there a way to globally set umask on HP Tru-64 and HP-UX similar to Solaris in the '/etc/default/login'?

Thanks,

Willio
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО09-25-2006 06:25 AM

тАО09-25-2006 06:25 AM

Re: Global setting for umask on HP true 64 and HP-UX

Essentially you need to bear in mind that the very last umask wins --- everytime. This means that the initial umask (which might be set in /etc/profile) can be overridden by a given user's umask setting in his .profile which, in turn, might be changed yet again within a script or program. Moreover, the user could simply issue a umask 000 from within the shell. In short, there is no way to enforce a system-wide umask which cannot be overridden by a user (or process). In the case of umask being set within a script or process, that umask setting only affects the current process and any child processes.
If it ain't broke, I can fix that.
0 Kudos
Reply
Willio Jean Paul
New Member

тАО09-25-2006 06:54 AM

тАО09-25-2006 06:54 AM

Re: Global setting for umask on HP true 64 and HP-UX

Thanks Clay. Great info! Do you, any chance, have anything that you can send me as reference to support the statement "there is no way to enforce system wide umask." I know they will ask me to verify they source of where this info is originated.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО09-25-2006 07:25 AM

тАО09-25-2006 07:25 AM

Re: Global setting for umask on HP true 64 and HP-UX

You aren't going to find anything like that. The umask system call dates from the earliest days of UNIX and applies to all flavors of UNIX. Man 2 umask will completely describe the system call upon which the shell builtin is based. Simply print the man 2 umask page, add a "Q. E. D." to the endf and hand it to your auditors.
If it ain't broke, I can fix that.
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО09-25-2006 10:56 AM

тАО09-25-2006 10:56 AM

Re: Global setting for umask on HP true 64 and HP-UX

> "here is no way to enforce system wide umask"

You are looking for security in all the wrong places. umask is a command in every flavor of Unix. It is a built-in command inside the shell so every user that has shell access can change umask. And they can change it over and over -- it is just a simple shell command.

But umask does *NOT* control the permissions of a file or directory. It only sets the initial value of permission bits when the file is created. The chmod command can change the initial permissions without limit. This assumes that the user is the owner of the file/directory. So regardless of umask, the permissions can be set to anything by the owner of the file.

What you are really asking is perhaps something like: how do I control user behavior? This is called social engineering and the answer is either education or restriction. The restriction answer is: do NOT allow problem users to get a shell prompt. Instead, write a program or shell script that only allows a few selected commands and any attempt to breakout will logout the user.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.