1

I have a debian virtual machine set up and thought of something in regards to UMASK. First I would like to ask if the function of UMASK is to set CHMOD values on any file created by a user. Secondly, is there a way that UMASK can be used to effectively lock root out of files or is it the issue of root being "god" and able to unlock any files of lesser users? Would this be a scenario where it would make more sense for users seeking private files to instead have some type of virtual machine running inside debian to lock I as the admin out of their files?

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
is-cj
  • 23
  • Can you do it with access control lists? http://unix.stackexchange.com/questions/101263/what-are-the-different-ways-to-set-file-permissions-etc-on-gnu-linux – ctrl-alt-delor Jun 03 '16 at 18:00

1 Answers1

1

if the function of UMASK is to set CHMOD values

umask is not the same as chmod. The process umask describes which permission bits will be automatically cleared when files are first created. It works like this:

actual permission = requested permission & ~umask

Typically, applications request permissions like 0666 for a regular file, and the umask might be, for example 027. The result is 0640. That umask says:

  • don't clear any owner bits (0, binary 000)
  • force the writable-by-group flag off (2, binary 010)
  • force all permissions off for others (7, binary 111)

The umask doesn't get consulted at all for operations like chmod which explicitly set all the permission bits.

Secondly, is there a way that UMASK can be used to effectively lock root out of files

No. Nothing you do will prevent root from accessing any file...

for users seeking private files to instead have some type of virtual machine running inside debian

...not even that. The root user on the hypervisor or dom0 (or similar, for other virtualization technologies) can still access anything on the system.

Celada
  • 44,132