On Tue, 4 Oct 2022, Alex Henrie wrote: > Daniel Kahn Gillmor suggested this exact change on the openssh-unix-dev > mailing list in 2008, but I couldn't find any reply. [1] > > Ignoring the current umask makes it hard to fulfill the Defense > Information Systems Agency's Security Technical Implementation Guide. In > particular, it requires: > > "The Red Hat Enterprise Linux operating system must be configured so > that all files and directories contained in local interactive user home > directories have a mode of 0750 or less permissive." [2] > > "The Red Hat Enterprise Linux operating system must set the umask value > to 077 for all local interactive user accounts." [3] Thanks - applied with a slight tweak: - umask(022); + umask(022 | umask(077)); which better matches what we do in sshd. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
