UMask setting
This article has last been updated at .
The property UMask is a systemd unit setting used for sandboxing. It is available since systemd 1.
Purpose: set default umask for new files
New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.
Why and when to use UMask
Systemd provides the unit setting UMask to define the default umask. This value is used when creating new files or directories and defines the file permissions. It is an extension to the umask value that is normally already configured within the shell itself.
Configuration
Set the value of UMask to a similar value as the umask setting in the shell, for example 022 or the full format 0022.
Generic advice
This option can be applied to most services. It is useful to tighten up file permissions for those services that create new files, especially if the more generic umask settings are less strict.
Testing
To test if the umask correctly works, the systemd-run command can be used.
Create file that is only readable by the owner
Run the command and set UMask to the value 0277. Then let the touch command create a new file.
systemd-run --pty --property=UMask=0277 touch /tmp/testfile
Related hardening profiles
The systemd unit setting UMask is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.
