On 08/08/2022 15.59, Brandon Allbery wrote:
I think umask addresses a different issue than "unprivileged user". In any case, yes, 077 is fairly uncommon; if you have that much need for privacy then perhaps you should not be using the system in the first place.
Yes and no. It prevents a program which drops privileges (e.g. sshd) at the start from reading arbitrary user files, so if there are post-startup remote vulnerabilities it's unable to exfiltrate all your user data. (Obviously one has to trust the program up to that point, but that's a much smaller attack surface.) I find it a good general practice in terms of Defense in Depth -- especially as it actually really shouldn't cause issues one a single-user system. (It *is* probably uncommon as you say, though. I believe most distros default to 022.) Regards,