574ac507da
As part of CIS 5.4.2.6:Ensure root user umask is configured,
We have set umask 027 in both /root/.bash_profile and /root/.bashrc,
which ensures that:
- New files created by the root user will have default permissions
of 640
- New directories created by the root user will have permissions
of 750
According to the control, setting umask 027 in these files is a
secure practice and meets the guideline for ensuring that root
user files and directories aren’t excessively permissive.
TestPlan
PASS: build-pkgs -c -p base-files-config
PASS: build-image
PASS: bootstrap
PASS: CIS benchmark SCAN
PASS: Verify umask value for root user
- Log in as root or switch to root
- Check the umask value by running command `umask`
- The output/value should be : 0027
PASS: Verify permissions for a newly created file
- As the root user, create a new file:
`touch /root/testfile`
- The output should show -rw-r----- (640 permissions)
PASS: Verify permissions for a newly created directory
- As the root user, create a new directory:
`mkdir /root/testdir`
- The output should show drwxr-x--- (750 permissions)
PASS: Verify That umask persists across new sessions
Story: 2011295
Task: 51390
Change-Id: I4f50f0a8ea626ccefd1f8e958cb5032fdf362992
Signed-off-by: Rahul Roshan Kachchap <rahulroshan.kachchap@windriver.com>
35 lines
1.1 KiB
Bash
35 lines
1.1 KiB
Bash
#
|
|
# Copyright (c) 2024 Wind River Systems, Inc.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
|
|
#!/bin/bash
|
|
|
|
# Check if running as root and configure umask for root
|
|
if [ "$(id -u)" -eq 0 ]; then
|
|
# Ensure /root/.bashrc exists and contains the umask setting
|
|
if [ ! -f /root/.bashrc ]; then
|
|
echo "umask 027" > /root/.bashrc
|
|
chmod 600 /root/.bashrc
|
|
elif ! grep -q "umask 027" /root/.bashrc; then
|
|
echo "umask 027" >> /root/.bashrc
|
|
fi
|
|
|
|
# Ensure /root/.bash_profile exists and contains the umask setting
|
|
if [ ! -f /root/.bash_profile ]; then
|
|
echo "umask 027" > /root/.bash_profile
|
|
chmod 600 /root/.bash_profile
|
|
elif ! grep -q "umask 027" /root/.bash_profile; then
|
|
echo "umask 027" >> /root/.bash_profile
|
|
fi
|
|
|
|
# Set permissions for both files
|
|
chmod 600 /root/.bashrc 2>/dev/null || {
|
|
logger -p user.err "ERROR: Failed to set permissions to 600 for /root/.bashrc"
|
|
}
|
|
chmod 600 /root/.bash_profile 2>/dev/null || {
|
|
logger -p user.err "ERROR: Failed to set permissions to 600 for /root/.bash_profile"
|
|
}
|
|
fi
|