NixOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-268181 | SRG-OS-000480-GPOS-00228 | ANIX-00-002180 | SV-268181r1131169_rule | 2025-08-19 | 1 |
| Description |
|---|
| Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access. |
| ℹ️ Check |
|---|
| Verify the NixOS operating system defines default file permissions so users may only modify their own files. $ grep "UMASK" /etc/login.defs UMASK 077 If the UMASK setting is not present, is commented out, or is less restrictive than 077, this is a finding. |
| ✔️ Fix |
|---|
| Configure the NixOS operating system to change default file permissions so users may only modify their own files. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.loginDefs.settings.UMASK = "077"; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch |