won’t/can’t argue the “correct” way to do it system wide (this looks
good to me), but wonder if i really want everyone being able to read
everyone else’s files? (as the 002n allows)
I guess that most of us thought the value being an example. Everybody will fill in a value of his/her own choice according to what one needs.
And an umask of 027 does NOT allow everybody to read a file. It will on creation of a file mask off the write bit for group and ALL bits for others. Thus when the owner does not change those access bits later, only the user and members of his group can read the file, others can not!
but, i also wonder if the machine would catch on fire or melt if i used
pam-config to set 0077…
wouldn’t that make everyone stay out of my files…but, would it break
The PAM value would set an umask value for some processes (not all programs are PAM aware) and those programs will then create files with access bits according to the access bits the program thinks fit for that file, masked with the umask (as defined in PAM). When this results in setting no *rwx *bits for group and others, then the user only can rwx the file. As said earlier, I did this allways (being an ordinary user I did this by setting umask in my .profile).
But yes, it can break something. When user a creates files and assumes that user b (not in his group) can read them because the default umask allows this and then from day X the system manager changes to a more restrictive value where the others bits are masked off, this user a can then claim that his way of working is broken. He can of course adapt by doing a chmod o+r a.s.a.p. after creation, but he may be upset (especialy when not informed of the upcoming change in time).
I do not know much of PAM (just read a bit around the last half an hour). But programs must be PAM aware (meaning that calls to the PAM libraries must be coded in it). Thus setting this value in PAM may influence Dolphin ( I do not know, but I guess), but I doubt it will influence simple programs like touch.
A question raising to me is, if I have set a very restrictiv umask for my sessions (like 077) and the system manager put a less restrictive one (like 027) in PAM, what would a PAM aware program do? Create with my mask or with the PAM mask. The latter option would make me very angry of course.
And last, about “the system on fire”. I guess most system tools will not be PAM aware. Those tools know in general very well how access bits must be set for every individual file they create. It might even be a good idea for those tools to set the access bits explicitly to the correct values after creating the file (I do this in several scripts). BTW, it could even be true that PAM will not change the umask to the PAM value when it is a root process.