Howto have readeable and writeable by user and primary group (users) as default permission for new files created by users

laptop n°2-on my laptop TUXEDO InfinityBook Pro fresh upgraded from LEAP 15.6 KDE to leap 16.0
ssd disk=2Tb, CPU= Intel Core i7-8565U, RAM=32Gb, GPU=Intel UHD Graphics 620 (Whiskey Lake) Driver: “i915”;
boot=tri boot (leap 15.5, leap 16.0, windows 10)

I would like to have readeable and writeable by user and primary group (users) as default permission for new files created by users
I remember that I did it as in this thread

I tried doing:
setting UMASK 0002 or umask 0002 in /home/user/.profile
and
in /etc/login.defs setting UMASK 002
and
in
/etc/profile setting UMASK 002
but it doesn’t works
what I have to do to have readeable and writeable by user and primary group (users) as default permission for new files created by users?

The command is umask.

Please read man umask.

yes, I red man umask but in which file I have to inset to have RW permission for user and group for the new created files??

Well, the user can add

umask 002

to his own ~/.profilewhen he wants this effect.

And the system manager can add the same this to /etc/profileas a default, which then can of course still be overruled by the user.

And then there is /etc/login.defs. Look there to read yourself. And notice that there it is NOT a statement, but a variable with name UMASK.

You can NOT set that. with umask, you can only mask (switch off) bits, not set them.
E.g. and umask of 002 will switch off the write bit for others/world when a file is created from the settings the file creation request suggests. So when a process (program) asks the kernel to create a new file with permission bits rwxr-xr-x and the umask is 002, the result will be rwsr-xr-x because only the w bit for others is masked off. The w bit for group is not masked off, but it was not in the pattern at all, thus it did not change and is certainly not set…

Isn’t that subject to revert from updates to aaa_base? That shouldn’t happen with umask setting in /etc/profile.local.

Don’t know if Leap is different, but here on Tumbleweed neither writing “umask 002” to /etc/profile nor to /etc/profile.local has any visible effect.
Something gets in the way (pam?); relevant files in a default install seem to offer conflicting, possibly outdated advice on how to change the default umask for any or all users.

In general you set the the required permissions for group r/w access, and set the directory’s group and SGID bit so that new files inherit the directory’s group…

chgrp sharedgroup /path/to/dir
chmod g+s /path/to/dir

After that, and files created in this directory will have the correct group assignment.

Mystery solved: Leap is indeed different.
For Tumbleweed please see bug 1217414: there is a file /etc/login.defs.d/70-yast.defsthat overrides the system default.
Leap 16.0 has no YaST, so no such yast.defs file, but it is still governed by pam so /etc/profile still reads:

# The global umask value is stored in /etc/login.defs and
# will be set by pam_umask.so (see "man pam_umask").
#umask 022

so writing to /etc/profile does not work as well.
That is true for Leap 15.6 as well, but not having “migrated” /etc to /usr/etc Leap 15.6 still has a /etc/login.defs file where you can still change the default umask for all users including root and that file is still read by pam.
Needless to say, it is safer to change the umask on a per-user basis rather than changing the system default (unless you know very well what you are doing).

Hope this helps casual users stumbling upon this thread.

Further details in file-management.html
(Please note that there is no such document for SLES 16.0 yet)

manythanks bruno
interesting, so reading

11.4.1 Adjusting the default umask I have to
“For individual users, add the umask to the ‘gecos’ field in /etc/passwd like this:”

tux:x:1000:100:Tux Linux,UMASK=022:/home/tux:/bin/bash
/etc/passwd file seems dangerous, is it safe to edit and add what suggested??

then I did a test:
reassumed at the end with comments, and about you what I have to do to have in
laptop3 leap upgraded 15.6 to 16.0
an umask 002? needed to create user and group files

another intersting point you posted

11.6 World-writable files
where I cannot understand how to have automatically in the usb disks

=============

laptop4 leap 15.6 user=pla

pla@plaTW:~> ll /media/
total 12
drwxrwxrwx 13 root root 12288 Mar  6 10:00 backup5
pla@plaTW:~>

pla@plaTW:~> umask
0002
pla@plaTW:~>

pla@plaTW:~> cd /media/backup5/
pla@plaTW:/media/backup5> touch test-lap4-15.6-pla.txt
pla@plaTW:/media/backup5> ll | grep -i test
-rw-rw-r--  1 pla    users      0 Mar  6 10:10 test-lap4-15.6-pla.txt
pla@plaTW:/media/backup5>

pla@plaTW:/media/backup5> cat /etc/profile | grep -i umask
# The global umask value is stored in /etc/login.defs and
# will be set by pam_umask.so (see "man pam_umask").
#umask 022
pla@plaTW:/media/backup5>

pla@plaTW:/media/backup5> cat /etc/profile.local | grep -i umask
cat: /etc/profile.local: No such file or directory
pla@plaTW:/media/backup5>

pla@plaTW:/media/backup5> cat /usr/etc/profile.local | grep -i umask
cat: /usr/etc/profile.local: No such file or directory
pla@plaTW:/media/backup5>

pla@plaTW:/media/backup5> cat /usr/etc/profile | grep -i umask
cat: /usr/etc/profile: No such file or directory
pla@plaTW:/media/backup5>

pla@plaTW:~> cat /home/pla/.profile | grep -i umask
pla@plaTW:~>

pla@plaTW:~> cat /etc/login.defs | grep -i umask
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
UMASK           002
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
# Enable setting of the umask group bits to be the same as owner bits
pla@plaTW:~>

pla@plaTW:~> cat /etc/login.defs.d/70-yast.defs | grep -i umask
UMASK 022
pla@plaTW:~>

pla@plaTW:~> cat /etc/pam.d/login | grep -i umask
pla@plaTW:~>

pla@plaTW:~> cat /usr/etc/login.defs | grep -i umask
cat: /usr/etc/login.defs: No such file or directory
pla@plaTW:~>

=================

laptop3 leap upgraded 15.6 to 16.0 user=pla

pla@localhost:~> ll /media/
total 272
drwxrwxrwx  13 root   root   12288 mar  6 17:29 backup5
drwxrwxrwx  10 pla    users   4096 mar  5 09:31 backup6
drwxr-xr-x. 54 camera users 262144 mar  3 16:32 cassapanca>>>>>>>>>>>this is exfat fs
pla@localhost:~> 

pla@localhost:~> umask
0022>>>>>>>>>>>>>>>>>>>>>>why 0022 and not 0002??
pla@localhost:~> 

pla@localhost:~> cd /media/backup5/
pla@localhost:/media/backup5> touch test-lap3-16.0u-pla.txt
pla@localhost:/media/backup5> ll | grep -i test
-rw-r--r--. 1 pla      users      0 mar  6 17:33 test-lap3-16.0u-pla.txt>>>>>>>>>>>why rw-r and why the dot?
-rw-rw-r--  1 pla      users      0 mar  6 10:10 test-lap4-15.6-pla.txt
pla@localhost:/media/backup5> 

pla@localhost:/media/backup5> cat /etc/profile | grep -i umask
# The global umask value is stored in /etc/login.defs and
# will be set by pam_umask.so (see "man pam_umask").
umask 002
pla@localhost:/media/backup5> 

pla@localhost:/media/backup5> cat /etc/profile.local | grep -i umask
# The global umask value is stored in /etc/login.defs and
# will be set by pam_umask.so (see "man pam_umask").
umask 002
pla@localhost:/media/backup5> 

pla@localhost:~> cat /usr/etc/profile.local | grep -i umask
cat: /usr/etc/profile.local: No such file or directory
pla@localhost:~> 

pla@localhost:~> cat /usr/etc/profile | grep -i umask
pla@localhost:~> 

pla@localhost:/media/backup5> cat /home/pla/.profile | grep -i umask
umask 002
pla@localhost:/media/backup5> 

pla@localhost:/media/backup5> cat /etc/login.defs | grep -i umask
cat: /etc/login.defs: No such file or directory
pla@localhost:/media/backup5> 

pla@localhost:/media/backup5> cat /etc/login.defs.d/70-yast.defs | grep -i umask
UMASK 022
pla@localhost:/media/backup5> 

pla@localhost:/media/backup5> cat /etc/pam.d/login | grep -i umask
session optional pam_umask.so umask=0002
pla@localhost:/media/backup5> 

pla@localhost:~> cat /usr/etc/login.defs | grep -i umask
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
UMASK           002
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
# Enable setting of the umask group bits to be the same as owner bits
pla@localhost:~> 

=================

laptop2 leap 16.0 fresh installed user=eros

eros@localhost:~> ll /media/
total 12
drwxrwxrwx 13 root root 12288  6 mar 17.52 backup5
eros@localhost:~>

eros@localhost:~> umask
0002
eros@localhost:~>

eros@localhost:~> cd /media/backup5/
eros@localhost:/media/backup5> touch test-lap2-16.0i-eros.txt
eros@localhost:/media/backup5> ll | grep -i test
-rw-rw-r--  1 eros     users    1092  6 mar 18.56 etc profile test table.txt
-rw-rw-r--  1 eros     users       0  6 mar 19.03 test-lap2-16.0i-eros.txt
-rw-r--r--. 1 eros     users       0  6 mar 17.41 test-lap3-16.0u-pla.txt
-rw-rw-r--  1 eros     users       0  6 mar 10.10 test-lap4-15.6-pla.txt
eros@localhost:/media/backup5>

eros@localhost:/media/backup5> cat /etc/profile | grep -i umask
# The global umask value is stored in /etc/login.defs and
# will be set by pam_umask.so (see "man pam_umask").
#umask 022
eros@localhost:/media/backup5>

eros@localhost:/media/backup5> cat /etc/profile.local | grep -i umask
cat: /etc/profile.local: No such file or directory
eros@localhost:/media/backup5>

eros@localhost:~> cat /usr/etc/profile.local | grep -i umask
cat: /usr/etc/profile.local: No such file or directory
eros@localhost:~>

eros@localhost:~> cat /usr/etc/profile | grep -i umask
eros@localhost:~>

eros@localhost:/media/backup5> cat /home/eros/.profile | grep -i umask
eros@localhost:/media/backup5>

eros@localhost:/media/backup5> cat /etc/login.defs | grep -i umask
cat: /etc/login.defs: No such file or directory
eros@localhost:/media/backup5>

eros@localhost:/media/backup5> cat /etc/login.defs.d/70-yast.defs | grep -i umask
cat: /etc/login.defs.d/70-yast.defs: No such file or directory
eros@localhost:/media/backup5>

eros@localhost:/media/backup5> cat /etc/pam.d/login | grep -i umask
cat: /etc/pam.d/login: No such file or directory
eros@localhost:/media/backup5>

eros@localhost:~> cat /usr/etc/login.defs | grep -i umask
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
UMASK           002
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
# Enable setting of the umask group bits to be the same as owner bits
eros@localhost:~>

-------------------------------------------------------------------------
                                15.6         16.0i           16.0u
-------------------------------------------------------------------------
usb mounted disk             drwxrwxrwx    drwxrwxrwx      drwxrwxrwx
umask                           0002        0002         0022 why not 0002?
touch test                    -rw-rw-r--   -rw-rw-r--    -rw-r--r--. why rw-r and the dot?
cat file | grep -i umask in:
/etc/profile                  #umask 022   #umask 022       umask 002
/etc/profile.local             no file      no file         umask 002
/usr/etc/profile.local         no file      no file         no file
/usr/etc/profile               no file      nothing         nothing
/home/user/.profile            nothing      nothing         umask 002
/etc/login.defs                UMASK 002    no file         no file
/etc/login.defs.d/70-yast.defs UMASK 022    no file         UMASK 022
/etc/pam.d/login               nothing      no file         session optional pam_umask.so umask=0002
/usr/etc/login.defs            no file      UMASK 002       UMASK 002

Sorry, I cannot follow your “experiments” and give relevant advice about that (also because you may have done other tweaks that you didn’t tell…) but generally speaking:

• in openSUSE the default umask is set by pam:
• reading the relevant man pam_umask:

   The PAM module tries to get the umask value from the following places in the following order:
    •   umask= entry in the user's GECOS field (see below for details)
    •   umask= argument
    •   UMASK entry from /etc/login.defs
    •   UMASK= entry from /etc/default/login

So that:

• editing /etc/passwd for individual users prevails on everything else; you must pay attention at what you do but it is “safe” if done properly;
• if there is no /etc/login.defs file PAM reads the snippets in /etc/login.defs.d/, including the leftover /etc/login.defs.d/70-yast.defs from 15.6 when you upgrade to 16.0;
• other files like profile files are not relevant.
• if nothing relevant is found, the default 022 is set.

So I guess that if you delete the /etc/login.defs.d/70-yast.defs file in the 16.0u system you should be able to configure the default umask either in the GECOS field of selected users (safe option on a shared system) or by adding a relevant snippet to /etc/login.defs.d/.

I don’t understand what you are looking for.
If you mean “how can I check automatically for world writable files in the usb disks”, considering that usb disks are normally mounted to /run/media/<username>/… you can check for world writable files in usb disks with:

find /run/media -type f -perm -2 ! -type l -ls

maaanythanks, this woked for all the laptops 15.6, 16.0i and 16.0u
editing /etc/passwd with vipwand modified as this example
tux:x:1000:100:Tux Linux,UMASK=000:/home/tux:/bin/bash
now works very well
I decided for UMASK=000 becouse there is for individual user and not globally

I would prefer UMASK=002 since 000 gives anybody having access to the system permission to write and change any file originally created by such configured users.
I would not let my cat change executable files on my system (unless my cat belongs to the “user” group of course ).

I think your cat is root
this preference is for a laptop without users in users group, so the files created by the user eros in users group can be red and writed by user procuste in group procuste

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.