How to set umask (esp. group write perms) for programs launched on gnome?

pureness589 · November 11, 2023, 2:27pm

I am trying to set up a directory that is shared by two local users. I created a new group that both users belong to and a directory that is read and writable by anyone in the group.

Unfortunately, when I use gui file managers launched by gnome to create new directories in the shared directory, they do not have the group write bit set and the other user cannot write inside the just created directory.

The problem seems to be that for programs launched by gnome, the umask is set to 022 instead of 002, which means the group write bit is not set for anything newly created in those programs. If I set the umask to 002 in my .profile, everything works for directories created using the terminal, however gnome does not respect that setting.

I read that gnome uses systemd for the umask setting, which is 022 by default. A few months back, the issue already popped up on the fedora forums. I tried the accepted solution and added:

[Service]
UMask=0002

to /etc/systemd/system/user@.service.d/override.conf by calling

sudo systemctl edit user@.service

Unfortunately this did not work for me. It did not seem to have any effect on my system, umask was still 022. Does anyone know why the above did not change the umask and how I could fix this?

I am on tumbleweed, kernel 6.5.9, using gnome 45.

malcolmlewis · November 11, 2023, 3:52pm

@pureness589 Hi, systemd uses priorities, so it should be prefaced by a number to override any default, just a name will got to the end of the list… Try 10-override.conf and see if that makes a difference.

pureness589 · November 11, 2023, 11:36pm

Unfortunately, that did not work.
I searched further and I think I opened a can of worms here.

This bug thread seems to be the most exhaustive treatment of the issue, but it didn’t have a working solution.

I also tried to add the line

session optional pam_umask.so umask=0002

to /etc/pam.d/login or /etc/login.defs, as explained in man pam_umask which also did not work.

I also tried to add

[Login]
UMask=0002

to /etc/systemd/logind.conf.d/umask.conf, which unsurprisingly, did also not work.

https://github.com/systemd/systemd/issues/16963
https://github.com/systemd/systemd/pull/15318
and
https://github.com/systemd/systemd/issues/6077
seem to be related, but I could not reach a solution reading them.

I am close to giving up, I spent way too much time on this already and nothing seems to pan out here.

pureness589 · November 12, 2023, 12:48am

just adding more resources I was able to discover:
There was also a bug in RHEL only fixed in July related to this issue

There is also an entry in the RHEL knowledgebase that I lists related issues.

Does anyone know of attempts to fix this in the SUSE environment?

malcolmlewis · November 12, 2023, 1:19am

@pureness589 Did you try adding to session optional pam_umask.so silent before session optional pam_umask.so in /etc/pam.d/common-session-pc?

pureness589 · November 12, 2023, 2:16am

My God. That was it, thank you so much!!
In /etc/pam.d/common-session-pc, having the line

session optional        pam_umask.so    silent umask=0002

changes the umask successfully for all users:

$ umask
002

And now I can finally create writable shared directories :)

pureness589 · November 12, 2023, 2:21am

Do you also happen to know what the significance of the comment in the common-session-pc is?

It says:

This file is autogenerated by pam-config. All manual changes will be overwritten!
[...]
Never edit or delete common-*-pc or postlogin-*-pc files!

And there is an instruction for creating PAM configuration files:

# The pam-config configuration files can be used as template
# for an own PAM configuration not managed by pam-config:
#
# for i in account auth password session session-nonlogin; do \
#      rm -f common-$i; sed '/^#.*/d' common-$i-pc > common-$i; \
# done
# for i in account auth password session; do \
#      rm -f postlogin-$i; sed '/^#.*/d' postlogin-$i-pc > postlogin-$i; \
# done

I have to admit, I have no experience with PAM and I don’t really know what those commands do, so are you able to point me towards what I should be doing here? Is it fine to just leave the edit in common-session-pc? Or do I have to create my own files with the above instructions?

Greatly appreciate your help

malcolmlewis · November 12, 2023, 2:58am

@pureness589 Alas I’m like you with respect to pam… Suggest you start a new thread on the subject.

karlmistelberger · November 12, 2023, 5:16am

It does what it says! Each time pam-config is executed your changes will be overwritten. Replace the link common-session by a file with the same name and proper content:

6700k:/etc/pam.d # ll common-session
-rw-r--r-- 1 root root 189 Nov 12 06:14 common-session
6700k:/etc/pam.d # cat common-session
#%PAM-1.0
session optional        pam_systemd.so
session required        pam_limits.so
session required        pam_unix.so     try_first_pass 
session optional        pam_umask.so    umask=0002
session optional        pam_env.so
6700k:/etc/pam.d #

arvidjaar · November 12, 2023, 6:37am

pam-config supports pam_umask.

pam-config -a --umask --umask-silent --umask-umask=0002

Read man pam-config

karlmistelberger · November 13, 2023, 7:14am

openSUSE and SUSE have both nice documentation: