On my Ubuntu 11.04×64 server, I have service accounts running which do not log in and do not have home directories. These service accounts are responsible for running processes which are invoked as services.
When these services created new files, I need them to be created with the permissions 664 (UMASK 002).
I edited the /etc/profile umask setting to reflect this. I see that now my user account creates files which reflect this new umask setting, but the service accounts do not when I manually created files using their accounts (sudo -u serviceaccount touch newfile).
Any suggestions?
Best Answer
If the services are started via Upstart or /etc/init.d, edit the appropriate initscripts.
umask 02at the top of script (they are ordinaryshscripts)umask 02anywhereLinux does not have a strict definition of "login", and an account is merely an UID that can (or cannot) be associated with a name/homedir/etc.
When you log in on console/over SSH, the login program (or the SSH daemon) uses PAM to set up the environment (possibly
pam_umask), then starts your shell with the "login" flag. The/etc/profilescript belongs to the sh and bash shells, which only read it for "login" invocations.When you use
sudo touch ...orsudo /etc/init.d/foo start, sudo still calls PAM for auth/account/session setup, but does not start the shell at all, meaning all "profile" or "bashrc" files will be ignored. (That is, unless you usesudo -i ....)When Upstart runs a service, it simply switches the UID to that of your service, skipping any "profile" scripts or PAM configuration. The only configuration that is read is the service's file in
/etc/init, which is where you should put the umask setting.