Understanding umask

[elija]

I have been looking into umask as when running Ubuntu I have found that
scripts I have downloaded have been executable by default.

I run the command umask and this returns the value 0022

This is how I understand this umask thing.

Start with 777 which is everybody able to do everything and then subtract the
mask. So with a mask of 0022 this leaves me with default permissions of 755

755 seems to mean that the owner can do anything, the group and anybody
else can read and execute the file. This seems insecure to me so I plan on
changing my default umask to to 0137 which would leave me with default
permissions of 640. This would mean that the owner could read and write,
the group could read and everybody else can bugger of. Or at least it does
if I have understood this right.

Given that the above is correct, I have two questions.

1. Where do set the umask so it affects ALL users who have an account?
2. Would root still have access to the files even if read only?

[Jonathan183]

It looks as though you can set umask in /etc/profile as a default value based on this. Since umask is just used to set the default permissions for files and directories you can play around with file permissions - set a value of 0 for a file using chmod still seems to allow file reading by root ... but then since I've done this in Mint it may be a sudo effect.

Code:

jonathan@jonathan-desktop:~$ ls -l
total 2516
drwxr-xr-x 2 jonathan jonathan    4096 2008-05-03 22:08 Desktop
drwxr-xr-x 2 jonathan jonathan    4096 2008-04-13 21:00 Documents
drwxr-xr-x 2 jonathan jonathan    4096 2008-04-13 21:00 Downloads
-rw-r--r-- 1 jonathan jonathan 2535086 2008-05-03 21:30 Firefox_wallpaper.png
drwxr-xr-x 2 jonathan jonathan    4096 2008-04-13 21:00 Music
drwxr-xr-x 3 root     root        4096 1970-01-01 01:00 Network
drwxr-xr-x 2 jonathan jonathan    4096 2008-04-13 21:00 Pictures
drwxr-xr-x 2 jonathan jonathan    4096 2008-04-13 21:00 Projects
drwxr-xr-x 2 jonathan jonathan    4096 2008-04-13 21:00 Templates
---------- 1 jonathan jonathan      49 2008-05-13 23:09 test.txt
drwxr-xr-x 2 jonathan jonathan    4096 2008-04-13 21:00 Videos
jonathan@jonathan-desktop:~$ cat test.txt
cat: test.txt: Permission denied
jonathan@jonathan-desktop:~$ sudo cat test.txt
wtf - lets just see if root can see this or not!
jonathan@jonathan-desktop:~$

[i92guboj]

Your understanding is correct.

1. Where do set the umask so it affects ALL users who have an account?

It depends on the shell that you are using and if it's or not a login shell. I wrote about this around 3 years ago here:

Gentoo Forums :: View topic - [bash] - What I know about config files - (Lil howto)

It's a gentoo forum, but the info on that post is for bash, it doesn't matter the distro really.

2. Would root still have access to the files even if read only?

Root always has access to all files, even if they are chmoded 000

EDIT: There might be more distro-specific ways to do it, that depends on the distro you use and it's init system mostly.

[tiersen]

you can also add umask command to your ~/.bashrc file

Code:

$vi ~/.bashrc

modify the following line to setup the value you want

Code:

umask 022

[SagaciousKJB]

Not sure if this is a distribution specific solution, but I'm using Kubuntu...

Code:

-K, --key KEY=VALUE
           Overrides /etc/login.defs defaults (UID_MIN, UID_MAX, UMASK, PASS_MAX_DAYS and others).

From 'man useradd'

Basically, you can modify the /etc/login.defs file to specify a defualt umask from this point on...

As far as modifying current users goes, I'm not really sure. I might be incorrect in assuming this, but wouldn't specifying a umask in bash effectively make programs that were launched in a different shell not respect this umask at all?

I'm not sure that trying to set all of the users on a system to have the same umask is a good idea, because some of the accounts may be system accounts or the like that need to write files with default permissions of their own.

I suppose the easiest solution would be to grep /etc/passwd for users with "bash" as their shell to ensure the likelihood they're user accounts, compile a list of those users, and then recursively change their umask... Something like this should do.

Code:

grep -i bash /etc/passwd | egrep -o \([a-z]\{1,}\):x | sed "s/:x//g" | while read user; do sudo su "$user" --command "umask 0137 && exit" ; done

"sudo su user" bypasses need for a password so long as you already have a sudo session authorized, and as long as you're using shadows, that should work. I tested it on my Kubuntu box using just "umask" to list the user's umask, and it seemed to work fine.

This is the exact command I used, with "id" to ensure that it was operating on a different account

Code:

grep -i bash /etc/passwd | egrep -o \([a-z]\{1,}\):x | sed "s/:x//g" | while read user; do sudo su "$user" --command "umask && id && exit" ; done

The output:

Code:

0022
uid=0(root) gid=0(root) groups=0(root),109(admin)
0022
uid=1000(sagacious) gid=1000(sagacious) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),104(scanner),108(lpadmin),109(admin),115(netdev),117(powerdev),127(sambashare),1000(sagacious),1003(xcet)
0022
uid=1001(owtch) gid=1001(owtch) groups=1001(owtch)

Hope this helps.