How to set default umask in Ubuntu 17.04?

permissions umask 17.04 .profile gnome-session

In the past, I have always set umask at ~/.profile. I set a umask of 077 so my documents get a permission of 600 (rw-------). But setting this at ~/.profile no longer works in Ubuntu 17.04.

So as new documents get created in a gnome session on Ubuntu 17.04, where can I configure so that they get created with permission 600?


Solution 1:

To set permissions for all directories and files that are created day-forward by any user:

  1. sudo nano /etc/pam.d/common-session
  2. Find the line with "session optional pam_umask.so"
  3. Change this to "session optional pam_umask.so umask=0077"
  4. Save the file.
  5. Reboot.

New files will be 600. New directories will be 700.

Solution 2:

tl; dr: Replace UMASK 022 by e.g. UMASK 027 in file /etc/login.defs but doesn't work 100%.

Documentation

See the man pages (20.04) for info on this. There are several places where it can be set: I used /etc/pam.d/login or /etc/default/login in the past but stopped working so now I'm using /etc/login.defs which partially works.

The PAM module tries to get the umask value from the following places in the following order:

· umask= entry in the user's GECOS field

· umask= argument

· UMASK entry from /etc/login.defs (influenced by USERGROUPS_ENAB in /etc/login.defs)

· UMASK= entry from /etc/default/login

(...)

EXAMPLES

Add the following line to /etc/pam.d/login to set the user specific umask at login:

    session optional pam_umask.so umask=0022

Ubuntu 18.04, Ubuntu 20.04

In file /etc/login.defs there is an entry UMASK 022 that can be replaced by, in my case, UMASK 027. Then reboot. This yields:

Ubuntu 18.04:

$ umask
0022
$ more /etc/login.defs | grep ^UMASK
UMASK       027

$ echo foo > terminal

NOTE:  Open gedit from Dock and write file `dock`
       Open gedit from Menu and write file `menu`

$ ls -l dock menu terminal
-rw-r--r-- 1 daniel daniel 4 nov  4 16:11 dock
-rw-rw---- 1 daniel daniel 4 nov  4 16:11 menu
-rw-r--r-- 1 daniel daniel 4 nov  4 16:11 terminal

Ubuntu 20.04:

$ umask
0007
$ more /etc/login.defs | grep ^UMASK
UMASK       027

$ ls -l foo bar
ls: cannot access 'foo': No such file or directory
ls: cannot access 'bar': No such file or directory

$ touch foo
$ echo hello > bar
$ ls -l foo bar
-rw-rw---- 1 daniel daniel 6 nov  4 17:20 bar
-rw-rw---- 1 daniel daniel 0 nov  4 17:20 foo

Might work in 17.04

Note this file does not exist on my version of Ubuntu, in which case we can create it.

$ sudo sh -c "echo 'session optional pam_umask.so umask=0027' >> /etc/default/login"

$ more /etc/default/login
session optional pam_umask.so umask=0027

Evil Bug

Now if we restart and ask for the umask in the terminal we still get 0022 (in the case of Ubuntu 18.04) and not the 0027 that was set. See Bug #1685754.

But if we open an application, for example the Text Editor, and save a file we'll notice the new umask affected permissions. Open it from the menu, not from the terminal as it seems to pick up the (bad) umask from the terminal.

References

  • Ubuntu 18.04 Manpage for pam_umask
  • Bug #1685754, since 17.04

Solution 3:

# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022

That's literally what your ~/.profile says. Did you relogin once changed? It should work fine.

Also:

This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login exists.

Actually confirmed the issue on a freshly installed ubuntu 17.04. Even fully updating still causes this issue to arise and even ~/.bash_profileis ignored, there seems to be an issue with the command interpreter not reading those files after login.

You can use ~/.bashrc for now, which still works fine and is read during login.

So after digging a little into it, it seems bash is not run by default with the --login anymore which means it doesn't read the ~/.profile. Starting a new bash with the umask in ~/.profile with bash --login sets the umask correctly starting a bash without it though ignores the ~/.profile. Not sure what was changed but this seems like a bug to me unless it was intentionally changed.

Solution 4:

I have recently came across this on Ubuntu 20.04 TLS and found the solution.

$ man -k umask
$ man pam_umask

This will get us the location of manual pages that discuss umask - all information can be found there.

From /etc/pam.d/common-session:

The pam_umask module will set the umask according to the system default in /etc/login.defs and user settings.

This solves the problem of different umask settings with different shells, display managers, remote sessions etc.

From PAM_UMASK(8):

pam_umask is a PAM module to set the file mode creation mask of the current environment. The PAM module tries to get the umask value from the following places in the following order:

umask= entry in the user's GECOS field

umask= argument UMASK entry

from /etc/login.defs (influenced by USERGROUPS_ENAB in /etc/login.defs)

UMASK= entry from /etc/default/login

Notice the text in the brackets: influenced by USERGROUPS_ENAB in /etc/login.defs.

What is USERGROUPS_ENAB?

From /etc/login.defs:

If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value for private user groups, i. e. the uid is the same as gid, and username is the same as the primary group name: for these, the user permissions will be used as group permissions, e. g. 022 will become 002.

In not specified, the permission mask (umask) is initialized to 022.

You can now run this:

$ sudo nl /etc/login.defs | grep USERGROUPS_ENAB

to double-check if you have USERGROUPS_ENAB set to "yes", if it's uncommented (default), and on which line of the document can you find it.

Therefore, when you change the default "UMASK 022" to "UMASK 027", if USERGROUPS_ENAB is set to "yes", you will see that your umask has been set to 007 (not 027) - as it ignores the 2nd position (group permissions).

The solution to this is simple: uncomment the line where "USERGROUPS_ENAB" is set to "yes". If you have changed umask value to "UMASK 027", you will have umask set to 027 after the reboot.

You can verify this by running this in your shell.

$ umask

To summarize, the only config file that matters is /etc/login.defs.

Set your umask to desired value and make sure to uncomment USERGROUPS_ENAB line to change group permissions as well.

Hope this helps.

Related

Internet connection is fully broken. Network is unreachable. Ubuntu Server via LAN
How Do I Change a Forgotten User Password Without Booting?
GPG Decrypt: Bad Session key / Variable Unset / Exclamation Mark
sox and rec without the mic
where are the icon of application bar?
Remove Updated Software Notification on 20.04.2 LTS
Who should own /var/log and /var/tmp
How do I change the language of the console permanently?
EPSON Printer driver for download
What has changed in nvidia proprietary driver packaging in 18.04 Bionic?
Ubuntu Server 20.04 Connected to WIFI but network no available
My camera supporting UVC can't be used by apps in Ubuntu