From cd0fad3d88976815ad4bd9e6adb1a894c9afb3a7 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Thu, 12 Jan 2017 09:44:33 -0600 Subject: [PATCH] Make umask change opt-in Changing the default umask causes issues with OpenStack-Ansible deployments in roles where directories are created without a mode specified. It also may surprise some users on non-OpenStack systems who expect the default umask to match the default from the OS. This patch makes the change an opt-in change and it updates the documentation to reflect that. Related-bug: 1656003 Change-Id: I0931a34b1114e3a57e0eb5914124eed589ded541 --- defaults/main.yml | 2 +- doc/metadata/rhel7/RHEL-07-020230.rst | 34 ++++++++++++++++++++++----- 2 files changed, 29 insertions(+), 7 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index bf8917d3..60a696b2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -492,7 +492,7 @@ security_pam_offline_credentials_expiration_days: 1 # RHEL-07-010401 / # Set a delay (in seconds) between failed login attempts. security_shadow_utils_fail_delay: 4 # RHEL-07-010420 # Set a umask for all authenticated users. -security_shadow_utils_umask: 077 # RHEL-07-020230 +# security_shadow_utils_umask: '077' # RHEL-07-020230 # Create home directories for new users by default. security_shadow_utils_create_home: yes # RHEL-07-020630 # How many old user password to remember to prevent password re-use. diff --git a/doc/metadata/rhel7/RHEL-07-020230.rst b/doc/metadata/rhel7/RHEL-07-020230.rst index 27ebe66f..c5b7aaf7 100644 --- a/doc/metadata/rhel7/RHEL-07-020230.rst +++ b/doc/metadata/rhel7/RHEL-07-020230.rst @@ -1,16 +1,38 @@ --- id: RHEL-07-020230 -status: implemented +status: opt-in - Ubuntu only tag: auth --- -The umask for authenticated users is set to ``077`` by the tasks in the -security role. This is the default for Ubuntu, CentOS, and Red Hat Enterprise -Linux already. +The STIG requires that the umask for all authenticated users is ``077``. This +ensures that all new files and directories created by a user are accessible +only by that user. -Deployers can choose a different umask value by setting the following Ansible -variable: +Although this change has a significant security benefit, it can cause problems +for users who are not expecting the change. The security role will not adjust +the umask by default. + +Deployers can opt-in for the change by setting the default umask with an +Ansible variable: .. code-block:: yaml security_shadow_utils_umask: 077 + +.. note:: + + Ubuntu uses ``pam_umask`` and it uses the default umask provided by the + ``UMASK`` line in ``/etc/login.defs``. The default setting on Ubuntu + systems is ``022``. This allows the user's group and other users on the + system to read and execute files, but they cannot write to them. + + CentOS and Red Hat Enterprise Linux do not use ``pam_umask`` and instead + set a default umask of ``0002`` for regular users and ``0022`` for root. + This gives the regular user's group full access to newly created files, but + other users cannot write to those files. + + The tasks for this STIG requirement are not currently applied to CentOS and + Red Hat Enterprise Linux systems. See `Launchpad Bug #1656003`_ for more + details. + +.. _Launchpad Bug #1656003: https://bugs.launchpad.net/openstack-ansible/+bug/1656003