Linux – How to set umask globally

file-permissionslinuxpermissionsumask

I am using a private user group setup, i.e. a user foo's home directory is owned by foo:foo, not foo:users.

For this to work, I need to set the umask to 002 globally.

After a quick grep -RIi umask /etc/*, it seemed for a moment that modifying the UMASK entry in /etc/login.defs should do the trick. It does, too — but only for console logins.

If I log in to my desktop, and open a terminal there, I still get to see the default umask 022. Same goes for files created from apps started through the menu. Apparently, the display manager (or whatever X11 component responsible) does source some different setting than a console login does, and damned if I could tell which one it is. (I tried changing the setting in /etc/init.d/rc, and no, it did not help.)

How / where do I set umask globally (and for all users), so that the X11 desktop environment gets the memo as well?

(The system is Linux Mint / Ubuntu, in case that changes anything…)

Best Answer

You can set the umask globally by introducing the statement

 umask 022

(for instance) in either /etc/profile or /etc/bashrc.

Alternatively, since you are on a Debian system, you may use PAM. To enable this, first edit the file /etc/pam.d/common-session and add the line:

 session optional pam_umask.so

then edit the file /etc/login.defs and add (or modify, whatever) the line

 UMASK           002

These settings are enforced after the next reboot, but be careful: both methods lead to a configuration that can always be superseded by users' choice in their own ~/.bashrc, for instance.

If you are really keen on making it impossible to change the umask, you may use the disk configuration in /etc/fstab. As you know, the available options and syntax depend upon the filesystem type.

Related Solutions

Linux – How to apply umask settings to an account that doesn’t log in

If the services are started via Upstart or /etc/init.d, edit the appropriate initscripts.

init.d: umask 02 at the top of script (they are ordinary sh scripts)
Upstart: umask 02 anywhere

Linux does not have a strict definition of "login", and an account is merely an UID that can (or cannot) be associated with a name/homedir/etc.

When you log in on console/over SSH, the login program (or the SSH daemon) uses PAM to set up the environment (possibly pam_umask), then starts your shell with the "login" flag. The /etc/profile script belongs to the sh and bash shells, which only read it for "login" invocations.

When you use sudo touch ... or sudo /etc/init.d/foo start, sudo still calls PAM for auth/account/session setup, but does not start the shell at all, meaning all "profile" or "bashrc" files will be ignored. (That is, unless you use sudo -i ....)

When Upstart runs a service, it simply switches the UID to that of your service, skipping any "profile" scripts or PAM configuration. The only configuration that is read is the service's file in /etc/init, which is where you should put the umask setting.

Debian Umask – How to Set Umask for a Folder and Its Subfolders

I assume that you did already:

chmod g+rwxs directory

and now you have to make sure that the users have a umask like 002. To setup the umask for all the users, try in /etc/bashrc or /etc/profile.

caveat: you cannot setup a umask per directory as it's a process level thing.

Interesting read http://www.cyberciti.biz/tips/understanding-linux-unix-umask-value-usage.html

Best Answer

Related Solutions

Linux – How to apply umask settings to an account that doesn’t log in

Debian Umask – How to Set Umask for a Folder and Its Subfolders

Related Question