2.1 Ensure the file permissions mask is correct


Files are always created using a default set of permissions. File permissions can be restricted by applying a permissions mask called the umask. The postgres user account should use a umask of 077 to deny file access to all user accounts except the owner.


The Linux OS defaults the umask to 002, which means the owner and primary group can read and write the file, and other accounts are permitted to read the file. Not explicitly setting the umask to a value as restrictive as 077 allows other users to read, write, or even execute files and scripts created by the postgres user account. The alternative to using a umask is explicitly updating file permissions after file creation using the command line utility chmod (a manual and error prone process that is not advised).


Depending upon the postgres user's environment, the umask is typically set in the initialization file .bash_profile, but may also be set in .profile or .bashrc. To set the umask, add the following to the appropriate profile file:

$ whoami
$ cd ~
$ ls -ld .{bash_profile,profile,bashrc}
ls: cannot access .profile: No such file or directory
ls: cannot access .bashrc: No such file or directory
-rwx------. 1 postgres postgres 267 Aug 14 12:59 .bash_profile
$ echo 'umask 077' >> .bash_profile
$ source .bash_profile
$ umask

Default Value:


See Also


Item Details


References: 800-53|AC-3, CSCv6|14.4, CSCv7|14.6

Plugin: Unix

Control ID: 36ed1c0ec8a47c933ff5679a55399cdbe084f73b454ad04c1fc9d8b4ae778169