Linux – How to set the default file permissions on ALL newly created files in linux

linuxpermissionsSecurity

My question is similar to this:

https://stackoverflow.com/questions/228534/linux-default-file-permission

but there is no scp/ftp client involved and that question looks abandoned. Simply put: I want to be able to, at some global level decree that all newly created files will never have world writable permissions (0775).

I tried putting a umask 02 in /etc/profile then in my bash_profile but it only works for scripts or new files that I create in a shell. It doesn't work for files that another binary creates. Is there anyway to have all new files that are created?

Best Answer

What you want is the UMASK setting in the /etc/login.defs file.

Related Solutions

Linux – How to set default permissions for files moved or copied to a directory

You can use an ACL (access control list) to set the default permissions for files in a directory.

From man 5 acl:

If a default ACL is associated with a directory, the mode parameter to the functions creating file objects and the default ACL of the directory are used to determine the ACL of the new object:

The new object inherits the default ACL of the containing directory as its access ACL.

The access ACL entries corresponding to the file permission bits are modified so that they contain no permissions that are not contained in the permissions specified by the mode parameter.

To set it up (change device, directories, etc., accordingly):

Edit your /etc/fstab file and add the acl mount option.

/dev/mapper/star-home /home ext3  defaults,acl 0 2

Remount (Samba mount.cifs man page) your filesystem by rebooting or use:

mount -o remount,acl /home

Make sure you have the setfacl and getfacl utilities.

Set the default ACL on the directory (you may also need to set the ACL on existing files):

$ setfacl -m d:user:george:rwx,d:group:sales-g:rwx,d:group:marketing-g:rwx projections

See the linked tutorial for more information.

Source: Tutorial Part 1 and Part 2

Reference: POSIX Access Control Lists on Linux

Linux – How to apply umask settings to an account that doesn’t log in

If the services are started via Upstart or /etc/init.d, edit the appropriate initscripts.

init.d: umask 02 at the top of script (they are ordinary sh scripts)
Upstart: umask 02 anywhere

Linux does not have a strict definition of "login", and an account is merely an UID that can (or cannot) be associated with a name/homedir/etc.

When you log in on console/over SSH, the login program (or the SSH daemon) uses PAM to set up the environment (possibly pam_umask), then starts your shell with the "login" flag. The /etc/profile script belongs to the sh and bash shells, which only read it for "login" invocations.

When you use sudo touch ... or sudo /etc/init.d/foo start, sudo still calls PAM for auth/account/session setup, but does not start the shell at all, meaning all "profile" or "bashrc" files will be ignored. (That is, unless you use sudo -i ....)

When Upstart runs a service, it simply switches the UID to that of your service, skipping any "profile" scripts or PAM configuration. The only configuration that is read is the service's file in /etc/init, which is where you should put the umask setting.

Best Answer

Related Solutions

Linux – How to set default permissions for files moved or copied to a directory

Linux – How to apply umask settings to an account that doesn’t log in

Related Question