Home Wiki > SDB:Set UMASK
Sign up | Login


tagline: From openSUSE

Tested on openSUSE Recommended articles Related articles

Icon-manual.png Icon-help.png
This article describes how to set the UMASK value used when users log in and also the permissions mask on home directories for new users.


The question "How do I set umask?" comes up frequently on mailing lists and forums. Correct answer to this question is however rather very rare, because there are more ways to achieve, that umask command shows after the logging in a desired umask, but it doesn't always mean, that correct way has been used.

This article explains, what should be the 'correct' way to set persistently a system wide umask or per-user/per-group umask value set after logging in.

Procedure [ this chapter ain't completed, some polishing is required, be careful ]

Alter the UMASK value set when a User logs in

Very common way to change umask for users, is to put desired umask into the "profile.d" files. Changing the /etc/profile file is not recommended and this is even noted in the comment on first line of this file. Old-fashioned way is to create an /etc/profile.d/umask.sh file changing the umask (this file could have some script-based logic setting different umasks for different users or groups). Oftenly, the file $HOME/.profile is used for setting up the umask on per-user basis. Trying to set umask from other shellrc files (like .bashrc or .bash_profile) is completely wrong and unreliable. Even using profile.d/ or $HOME/.profile files is not 100% reliable (for example KDE doesn't source properly profile files to its session, so don't be surprised, that your fine functions and aliases from /etc/profile.d/my_perfect_functions.sh are not available in KDE shells whilst functions from .bashrc work).

Anyhow, changing the umask this way using profile files is deprecated and the following PAM method should be used.

Proper way to change a umask on system wide or per-user/group basis is using a PAM subsystem. Please note, that header comment in pam.d/ files discourages users from editing these files manually and that the manual change could be lost during the re-creation of these files using pam-config. Situation here is similar like in case of yast. Yast also doesn't like a manual changes to files managed by him. You could either use a pam-config method or manual configuration but pam-config is not omnipotent, some changes couldn't be done using this tool the same way as manual modification of pam.d/ files allows. From the perspective of skilled sysadmin should be preferred way to accomplish things "by to have trainwrecks under the control" so learning howto properly modify pam.d/ files should be preffered than using pam-config wrapper.

Example /etc/pam.d/common-session snippet to add at the and of this file for setting up different umask for not-users group (0027) and secret-agents group (0077) and user with uid 1005 (0002)

session [default=1 success=ignore] pam_succeed_if.so quiet user ingroup not-users
session optional pam_umask.so umask=0027
session [default=1 success=ignore] pam_succeed_if.so quiet user ingroup secret-agents
session optional pam_umask.so umask=0077
session [default=1 success=ignore] pam_succeed_if.so quiet uid eq 1005
session optional pam_umask.so umask=0002

Be aware, that last match overrides previous matches, so for example if your new user joe belongs to the group secret-agents and has uid 1005, the final umask for him will be 0002 with the code above.

Setting system-wide umask using pam-config method below should not be used for regular workstation. Setting up umask per user/group basis is recommended way to go. If you still want to do so, add to the /etc/pam.d/common-session following line (0027 is used in the example below):

session optional pam_umask.so umask=0027

Alter the Permissions Mask value applied to Home Directories of new Users

When new users are being added using useradd command, files /etc/default/useradd and /etc/login.defs are taken to the account providing the default values. Only experienced administrator who knows what he/she is doing could change these values. If you don't want to hassle with changing these defaults, use -K UMASK=$mask for applying the requested umask at newly created home directory and files. Example useradd command adding user joe with umask 0077 shall looks like this:

useradd -K UMASK=0077 -m joe

It's worth to note, that nothing is flawless and the resulting newly created home directory (and some files in) will have a correct permissions, but skel files will have in the most of cases permissions derived from default 0022 umask and manual change is required to correct these permissions. For more info check bug ID 943176.

In YAST this permissions mask is controlled from "User and Group Management" -> "Defaults for New Users" -> "Umask for Home Directory". The naming of this is perhaps confusing since it's a completely separate thing from the umask value in a logged in user session (see above).

See also

man pam_umask