NixOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-268181 | SRG-OS-000480-GPOS-00228 | ANIX-00-002180 | SV-268181r1131169_rule | 2025-08-19 | 1 |
Description
Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.
ℹ️ Check
Verify the NixOS operating system defines default file permissions so users may only modify their own files.
$ grep "UMASK" /etc/login.defs
UMASK 077
If the UMASK setting is not present, is commented out, or is less restrictive than 077, this is a finding.
✔️ Fix
Configure the NixOS operating system to change default file permissions so users may only modify their own files.
Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:
security.loginDefs.settings.UMASK = "077";
Rebuild and switch to the new NixOS configuration:
$ sudo nixos-rebuild switch