UMask setting
The property UMask is a systemd unit setting used for sandboxing.
Purpose: set default umask for new files
Why and when to use UMask
The setting UMask defines the default umask that is used when creating new files or directories. It is an extension to the umask value that is normally already configured within the shell itself.
Configuration
Set the value of UMask to a similar value as the umask setting in the shell, for example 022 or the full format 0022.
Generic advice
This option can be applied to most services. It is useful to tighten up file permissions for those services that create new files, especially if the more generic umask settings are less strict.
Testing
To test if the umask correctly works, the systemd-run command can be used.
Create file that is only readable by the owner
Run the command and set UMask to the value 0277. Then let the touch command create a new file.
systemd-run --pty --property=UMask=0277 touch /tmp/testfile
Related hardening profiles
The systemd unit setting UMask is used in the following hardening profiles.
