Ubuntu – Why does a user’s umask values differ between two systems

configurationumaskusers

I have two systems, A and B. A is Ubuntu 16.04, and B is Ubuntu 20.04. Each has a utility user 'rufus' defined on it. 'rufus' has no login on either system.

I want to understand why 'rufus' has different default umask values between the two systems. On system A (16.04), I get

$ sudo -u rufus sh -c umask
0022

On system B (20.04), I get

$ sudo -u rufus sh -c umask
0002

Running umask for both my own user and for 'root' returns 0022, the expected default, on both systems. Whatever the difference is, it seems to relate to some property specific to 'rufus'.

Here are the things I've considered:

1) system users

Some Linux systems define different default umasks for system users than for regular users.

On system A (16.04), 'rufus' has

$ id rufus
uid=999(rufus) gid=999(rufus) groups=999(rufus)

On system B (20.04), 'rufus' has

$ id rufus
uid=114(rufus) gid=119(rufus) groups=119(rufus)

On both systems, /etc/login.defs has a default umask of 022 and the system user window commented out

UMASK           022
# System accounts
#SYS_UID_MIN              100
#SYS_UID_MAX              999

but /etc/adduser.conf has

FIRST_SYSTEM_UID=100
LAST_SYSTEM_UID=999

indicating that 'rufus' is a system user on both systems (that is, UID > 99 and UID < 1000). So it doesn't seem like this explains the difference in default umask.

2) Login scripts

A user's default umask can be set by login scripts, either global ones like /etc/profile or user-specific ones like ~/.profile. 'rufus' has no login, so these files shouldn't affect what umask returns, because they are never processed.

To be thorough, however, I double-checked the files

/etc/profile
/etc/bash.bashrc
~rufus/.profile

on both systems ('rufus' does have a home folder). None of them set a value for umask. So for a couple of reasons, it doesn't seem like this explains the difference in default umask.

3) /etc/passwd

A user's 'umask' can be set in /etc/passwd.

On System A (16.04):

rufus:x:999:999:,,,:/home/rufus:/usr/sbin/nologin

On System B (20.04):

rufus:x:114:119::/home/rufus:/usr/sbin/nologin

Neither of these set 'umask', so it doesn't seem like this explains the difference in default umask.

4) libpam-umask

I know very little of this, but I understand it can be used to set the umask value for a user. On both systems, libpam-umask is provided by the package libpam-modules. This package installed on both systems, but I have never used it or configured it. On both systems, the config files /etc/pam.d/common-session and /etc/pam.d/common-session-noninteractive have no umask setting on the line

session    optional    pam_umask.so

so unless there's somewhere else I need to look, this doesn't seem to explain the difference in default umask.

That's all I can think of. What else can explain the difference in what umask returns for 'rufus' between the two systems?

One question I'd like answered in particular is: When Ubuntu sets a default umask for all system users (UID 100-999), in what file is this set?. This seems to be yet another piece of Linux's signature "secret information".

Best Answer

I think I figured this out. In the /etc/login.prefs in 20.04 the following is stated:

# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
# for private user groups, i. e. the uid is the same as gid, and username is
# the same as the primary group name: for these, the user permissions will be
# used as group permissions, e. g. 022 will become 002.

This might honestly be a bug in 16.04 when running the command sudo -u username sh -c umask. This is the only thing I can come up with. On my test systems I get the following output.

16.04:

terrance@terrance-1604:~$ id
uid=1000(terrance) gid=1000(terrance) groups=1000(terrance),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
terrance@terrance-1604:~$ umask
0002
terrance@terrance-1604:~$ sudo -u terrance sh -c umask
0022

20.04:

terrance@terrance-ubuntu:~$ id
uid=1000(terrance) gid=1000(terrance) groups=1000(terrance),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),118(lpadmin),126(sambashare),132(vboxusers)
terrance@terrance-ubuntu:~$ umask
0002
terrance@terrance-ubuntu:~$ sudo -u terrance sh -c umask
0002

As it appears they both support the exact same commands and have the exact same wording in the /etc/login.prefs. But 16.04 appears to not read into the user correctly like it does in 20.04. It looks like a bug, but since 16.04 is now EOL they will not update for bugs anymore.

Hope this helps!

Related Solutions

Ubuntu – User Accounts not listed in System Settings User Accounts

It looks like the bug https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/952909?comments=all which affects accountsservice from Ubuntu 12.04 on some architectures like ARM (e.g., on Toshiba AC100) and PPC? Read there for the reason of this bug.

As of the end of July 2012, there is a fix in the precise-proposed repository -- https://bugs.launchpad.net/ubuntu/precise/+source/accountsservice/+bug/952909/comments/13.

(Before that, there was no fix for this bug in Ubuntu's packages (I've checked for my case -- ARM), but this bug has been fixed in the original Debian package. Although, I'm not sure the Debian package is completely compatible with Ubuntu (you can read about my experience of installing it in a comment there: "user accounts" settings didn't work for me after the installation), but at least the login screen should work fine (i.e., list all the users) after installing the package from Debian.)

Ubuntu – Why does umask 077 not allow the user to execute files/directories

When you use a umask of 077 only the user has read, write and execute permissions. The user definitely will be able to open ('execute') directories (see more on why directories have to be executable in my answer here). However, files must always be made executable by entering chmod u+x myfile; they are never automatically executable. Some more useful information on umask is given in this answer:

What is "umask" and how does it work?

The likely possibility for your problems is that you have perhaps entered the value slightly incorrectly, which has resulted in a different umask, or that the value has not been permanently set. If you enter umask 077 in the terminal it will only hold good for that session of the terminal; to make it permanent for your user simply add umask 077 to your ~/.profile. The system default setting for umask is in /etc/login.defs; it used to be in /etc/profile. See also the manpage for pam_umask, which is a pam module that handles the assignment of umask.

The following examples are from a successful setting of umask 077:

1) For folder creation: mkdir doc checked with stat doc gave the correct permissions and an 'executable' folder:

File: `doc'
  Size: 4096        Blocks: 8          IO Block: 4096   directory
Device: 801h/2049d  Inode: 6425268     Links: 2
Access: (0700/drwx------)  Uid: ( 1000/    mike)   Gid: ( 1000/    mike)
Access: 2012-09-12 11:33:01.236675420 +0100
Modify: 2012-09-12 11:33:01.236675420 +0100
Change: 2012-09-12 11:33:01.236675420 +0100
 Birth: -

2) For file creation: touch new checked with stat new gave the correct permissions; the file is only made executable when you use chmod +x:

File: `new'
  Size: 0           Blocks: 0          IO Block: 4096   regular empty file
Device: 801h/2049d  Inode: 6303902     Links: 1
Access: (0600/-rw-------)  Uid: ( 1000/    mike)   Gid: ( 1000/    mike)
Access: 2012-09-12 11:34:58.272676270 +0100
Modify: 2012-09-12 11:34:58.272676270 +0100
Change: 2012-09-12 11:34:58.272676270 +0100

A umask of 077 will give the permissions shown, but if you still have problems with permissions after setting umask 077 properly (as discussed further above) we can look into it further.

Best Answer

Related Solutions

Ubuntu – User Accounts not listed in System Settings User Accounts

Ubuntu – Why does umask 077 not allow the user to execute files/directories

Related Question