Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: How does one set umask to 077 including for GUI apps?

  1. #11
    Join Date
    May 2024
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: How does one set umask to 077 including for GUI apps?

    My top 5 infosec tips:
    * Full disk encryption with LUKS
    * Password manager (keepassxc is fantastic)
    * Multi-factor authentication, preferably hardware-based, but at least through an app
    * uBlock Origin in the browser and probably block third party cookies while you're at it
    * Lock your credit and get your free report annually (for USPERS)

    Doing these should keep you out of most trouble online and in general.

  2. #12
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    5,288
    Distro
    Ubuntu

    Re: How does one set umask to 077 including for GUI apps?

    Quote Originally Posted by currentshaft View Post
    My top 5 infosec tips:
    Nice ones.

    • Full disk encryption with LUKS — Done
    • Password manager (keepassxc is fantastic) — Done
    • Multi-factor authentication, preferably hardware-based, but at least through an app — Done
    • uBlock Origin in the browser and probably block third party cookies while you're at it — I use AdBlock Plus. I don't care about third-party cookies; but Chrome is set to disable them by default anyway.
    • Lock your credit and get your free report annually (for USPERS) — That sounds like an American thing? I get automatic emails when my credit score changes significantly.
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  3. #13
    Join Date
    Aug 2016
    Location
    Wandering
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: How does one set umask to 077 including for GUI apps?

    Along with currfentshaft has written, and to add to the confusion....LOL
    Paddy I also put umask in "/etc/profile" and my results are:
    Code:
    # '/home/me/umask.sh' 
    nobody    This account is currently not available.
    systemd-coredumpThis account is currently not available.
    systemd-networkThis account is currently not available.
    systemd-oomThis account is currently not available.
    systemd-journal-remoteThis account is currently not available.
    systemd-resolveThis account is currently not available.
    systemd-timesyncThis account is currently not available.
    tss       This account is currently not available.
    _talkd    This account is currently not available.
    avahi     This account is currently not available.
    colord    This account is currently not available.
    dnsmasq   This account is currently not available.
    geoclue   This account is currently not available.
    git       lightdm   This account is currently not available.
    nm-openvpnThis account is currently not available.
    openvpn   This account is currently not available.
    me        0077
    flatpak   This account is currently not available.
    fwupd     This account is currently not available.
    passim    This account is currently not available.
    libvirt-qemuThis account is currently not available.
    qemu      This account is currently not available.
    So unless your playing with some bad actors or a bad site you should be safe enough.
    With realization of one's own potential and self-confidence in one's ability, one can build a better world.
    Dalai Lama>>
    Code Tags | System-info | Forum Guide lines | Arch Linux, Debian Unstable, FreeBSD

  4. #14
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    5,288
    Distro
    Ubuntu

    Re: How does one set umask to 077 including for GUI apps?

    Quote Originally Posted by 1fallen View Post
    I also put umask in "/etc/profile" …
    I haven't touched /etc/profile. I've only put it in ~/.profile and ~/.bashrc.

    Anyway, you all have very much put my mind at ease, thank you. I'll stop messing with umask.
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  5. #15
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: How does one set umask to 077 including for GUI apps?

    Quote Originally Posted by currentshaft View Post
    In my opinion, and this is not meant to be derogatory nor discourage anyone from hardening their system, I believe the user separation boundary on a Linux system is extremely trivial to cross, and while umask is a good hygiene practice, it is not a meaningful security control.
    It depends on the attacker. Most attackers are NOT very sophisticated. IF they are, there's little that can be done, beyond having multiple layers of security. We will disagree on this, based on our different experiences. I only have 30 yrs of experience, so there are certainly other views on this topic.

    I would never suggest anyone alter the default setting system-wide. That's a good way to break things. Changes like this need to be limited to single users.

    The default HOME directory setup is drwxr-x--- for 22.04 and later releases. The umask is still 002, but since the HOME directory doesn't allow "other" any access, it generally doesn't matter. Other cannot get into the HOME for users, unless the user modifies the permissions.

  6. #16
    Join Date
    May 2024
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: How does one set umask to 077 including for GUI apps?

    Quote Originally Posted by TheFu View Post
    It depends on the attacker. Most attackers are NOT very sophisticated.
    This attack doesn't require sophistication.

    alias sudo="evil; sudo -S" >> .bashrc

    Now all the attacker has to do is wait for the user to enter their password once to impersonate them, and likely escalate to root on almost all hosts.

    Multi-user and "root" security on Linux are kind of a joke. Once an adversary has code execution on your box, that's it, it's game over, no amount of umasks, anti-virus program or firewalls is going to help.

    That's why critical workloads need proper isolation, virtualization and containers to make security guarantees.

  7. #17
    Join Date
    Aug 2016
    Location
    Wandering
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: How does one set umask to 077 including for GUI apps?

    Pardon my 2 cents worth here, is this a good place to be speaking about Linux Security as a whole?

    "Linux" (as some aggregate of all the installations) typically has quite a bit more than just a password denying external access.

    So even if a running service is compromised (an HTTP server, for instance), if it is itself not running under the highest privileges, it is limited in the amount of lasting damage it can do. This mindset of running under limited privileges is what makes it a more secure system. (But Not Bullet Proof)

    There is no secure system. There are only systems which might be sufficiently secure against specific kind of attacks, and attack scenarios might change fast.

    No magic Pill just the user's knowledge on security. You still have to know what you're doing and keep everything up-to-date.


    And I agree with TheFu " never suggest anyone alter the default setting system-wide" unless they know why or how. (As warned possible breakage)
    With realization of one's own potential and self-confidence in one's ability, one can build a better world.
    Dalai Lama>>
    Code Tags | System-info | Forum Guide lines | Arch Linux, Debian Unstable, FreeBSD

  8. #18
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: How does one set umask to 077 including for GUI apps?

    Quote Originally Posted by currentshaft View Post
    alias sudo="evil; sudo -S" >> .bashrc
    Tricking a user into running somethings evil is an issue on every OS and has been since the first computers existed. It is nothing new.

    There's no replacement for a smart user who cannot be tricked. You can create an alias for your user, but not for mine. If you can trick me into running a script that you wrote, then I deserve what I get.

    I'd believe more strongly that someone would infect most users through a USB device with an auto-type script built into the "load driver" function. The truly paranoid already know that everyone in the world is out to get them ... not personally, but everyone they can. There's a huge ecosystem in most Linux distros to prevent untrusted software from getting installed. This isn't MS-Windows with a setup.exe that people are expected to run. If users only get software from a trusted distro repo, stay updated, and on a supported OS, they've just prevented many of these foolish attack vectors.

    But you'll have some other example of how a little mistake can cause take over of a Linux system. That's true. Nothing replaces a smart admin.

    Which comes back to my statement ...
    I would never suggest anyone alter the default setting system-wide. That's a good way to break things. Changes like this need to be limited to single users.

  9. #19
    Join Date
    May 2024
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: How does one set umask to 077 including for GUI apps?

    Quote Originally Posted by 1fallen View Post
    So even if a running service is compromised (an HTTP server, for instance), if it is itself not running under the highest privileges, it is limited in the amount of lasting damage it can do.
    The history of software vulnerabilities is replete with examples counter to this.

    Search for "local privilege escalation linux cves"

    https://ubuntu.com/security/CVE-2024-1086 is just one recent example

    Just assume any code you run on Linux has the capability to be become root.

  10. #20
    Join Date
    May 2024
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: How does one set umask to 077 including for GUI apps?

    Quote Originally Posted by TheFu View Post
    Tricking a user into running somethings evil is an issue on every OS and has been since the first computers existed. It is nothing new.

    There's no replacement for a smart user who cannot be tricked. You can create an alias for your user, but not for mine. If you can trick me into running a script that you wrote, then I deserve what I get.
    My friend, there is no trickery involved, nor another user. The code you run as your user already grants adversaries the potential privilege to do what I had demonstrated. Do you audit every line of every application, script and web site you execute and visit? I highly doubt it, and even if you did, much of modern software is hilariously vulnerable to common exploits.

    There are weekly examples of remote code execution in browsers, mail clients and media software. Many of them require no user interaction, simply visiting a webpage or receiving an email is enough for an attacker to execute code (as you). After than, root escalation is a walk in the park.

    Bottom line is friends don't let friends run critical workloads without virtualization or containers, or other means of isolation/sandboxing.

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •