is there any distro / dm that allows the user to uniformally change his or her umask?

motivation

New Member
Joined
Nov 28, 2022
Messages
17
Reaction score
13
Credits
249
Conventionally a user will set his or her umask in ~/.profile. It might also appear in ~/.bashrc or ~/kshrc etc.

Since 2016 posts started appearing pointing out that programs run from display managers ignored the users umask that appeared in ~/.profile. I believe this is related to the move to systemd. However, programs running from shells respect the users umask, thus leading to a mismash of file access settings among files made even by the same program, and user confusion.

Some lightdm documentation I found says that it reads ~/.profile. However, we just did a Parrot Linux install,which uses lightdm, and to the unhappy surprise of at least one user, it has been ignoring the user's umask, and has been making all her files world readable. (I posted on Parrot forums in their help for install section, and for 3 days have received no answer, so at least among those who monitor that forum it appears that no one knows how to set the umask.)

In my opinion umask is an integral part of unix security, so it indicates an inattention to security details for a distro when a user umask is ignored, or even worse, partially ignored, with a different umask when a program comes from a menu than when it is invoked from a shell. This is my opinion other people might not be concerned when users are forced to make their files world readable to use programs from the GUI, or even think that is an advantage. I would be glad to hear the reasoning for that.

So my question to this board is: is there a linux distro or perhaps a dm that after a default install, users may set their umask value (setting it in ~/.profile would be conventional, but it does not matter what the file is called.) It has been a long time since 2016, so perhaps someone has integrated this.
 
Last edited:


KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
8,071
Reaction score
6,928
Credits
65,521
They should be able to set it in their ~/.bashrc - it's octal. So it'd look something like:

Code:
umask 777

Users have access to their own .bashrc file and can edit it as much as they want.

Should... Should work... Should have...

Hmm... Lemme look this up before I hit the post reply button. I'm not certain.

Yeah, take a look at this page:

 

osprey

Well-Known Member
Joined
Apr 15, 2022
Messages
404
Reaction score
316
Credits
3,691
Motivation wrote:
In my opinion umask is an integral part of unix security, so it indicates an inattention to security details for a distro when a user umask is ignored, or even worse, partially ignored, with a different umask when a program comes from a menu than when it is invoked from a shell.
In debian, there is a comment in the ~/<user>/.profile thus:
Code:
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
However, an inspection of /etc/profile shows an absence of umask setting:
Code:
[[email protected] ~] grep -i umask /etc/profile
[[email protected] ~]

In fact the setting is in /etc/login.defs where the following comment is found:
Code:
# UMASK is the default umask value for pam_umask and is used by
# useradd and newusers to set the mode of the new home directories.
# 022 is the "historical" value in Debian for UMASK
# 027, or even 077, could be considered better for privacy
# There is no One True Answer here : each sysadmin must make up his/her
# mind.

I can't say where other distributions put their configurations and comments on the matter, but I guess the predominant position, from debian at least, is that "There is no One True Answer here". In that case, it's perhaps no wonder why various applications exhibit different opinions reflected in what they honour. Very magnanimous.
 
OP
M

motivation

New Member
Joined
Nov 28, 2022
Messages
17
Reaction score
13
Credits
249
They should be able to set it in their ~/.bashrc - it's octal. So it'd look something like:

Code:
umask 777

Users have access to their own .bashrc file and can edit it as much as they want.

Should... Should work... Should have...
run this little experiment.
1. run an editor program from the GUI menu (gnome, etc.) and save a file, say test1.txt. (do not launch it from a shell)
2. look at the permission of that file, you will see it is world readable.
3. change the umask setting in your .bashrc (or .profile etc.) to 0007. That will clear any world access privileges.
4. run the editor program from the GUI menu again, and save a file to a new file name, say test2.txt
5. check the mode bits on test2.txt and you will see that it is still world readable.
6. go back to that website you quoted and complain? lol

If on the other hand it works for you, please let me know so that I may learn more about your setup.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
8,071
Reaction score
6,928
Credits
65,521
Try this...

Start VM.
Make folder tmp and enter it.
touch foo
ls -la to see permissions

Screenshot:

kgiii-msi — TeamViewer_001.png


use nano to edit ~/.bashrc
add 'umask 777'
save file

reboot VM
open terminal
cd tmp
touch bar
ls -la
note the change in permissions - different from foo vs bar

kgiii-msi — TeamViewer_002.png


I'm using Lubuntu.

It works just fine.
 
OP
M

motivation

New Member
Joined
Nov 28, 2022
Messages
17
Reaction score
13
Credits
249
Motivation wrote:

In debian, there is a comment in the ~/<user>/.profile thus:
Code:
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
However, an inspection of /etc/profile shows an absence of umask setting:
Code:
[[email protected] ~] grep -i umask /etc/profile
[[email protected] ~]

I am asking about desktop login, not ssh login. Specifically where can a user set the umask and have it respected by programs launched by the desktop.


In fact the setting is in /etc/login.defs where the following comment is found:
Code:
# UMASK is the default umask value for pam_umask and is used by
# useradd and newusers to set the mode of the new home directories.
# 022 is the "historical" value in Debian for UMASK
# 027, or even 077, could be considered better for privacy
# There is no One True Answer here : each sysadmin must make up his/her
# mind.

Two things about this. Firstly, go ahead set a UMASK value there after a default Debian install. You will find it is ignored by programs run from the dm.

If you add the umask pam module as suggested for ssh above, *and* change the UMASK setting in /etc/login.defs, you will find that you have changed the default umask for all users.

Though you changed the default, the original question remains unchanged, you just have a different starting point.

[How does a user change his or her umask? ... On Debian if a user sets a new one in the ~/.profile then when a program is run from the desktop, it will still ignore the user's umask; however when the same program is run from a shell it will honor the user's umask. Files in the user's directory will be found with a mismash of different mode bits. ... and do I want users mucking around in /etc and changing everyone's defaults? heck no.]

BTW, I did change the default in this manner, but the confusion for those in user space who set umasks continues on. My conclusion has been to disallow umask settings in .profile and .bashrc -- i.e. just live with the default. Dunno, maybe that is what the designer here intended.

I can't say where other distributions put their configurations and comments on the matter, but I guess the predominant position, from debian at least, is that "There is no One True Answer here". In that case, it's perhaps no wonder why various applications exhibit different opinions reflected in what they honour. Very magnanimous.

Actually that comment in the login.defs file just adds insult to injury. Because there is no one true answer, users need to be able to change it. But they can't. At least not on Debian.

When I saw the lightdm doc talking about reading the umask from ~/.profile, I thought, ah, someone has finally fixed this. However, when I installed a system that uses it, it does not work as advertised. ... So I came here to ask on which distro can a user set the umask for his or her desktop applications?
 
OP
M

motivation

New Member
Joined
Nov 28, 2022
Messages
17
Reaction score
13
Credits
249
Try this...

Start VM.
Make folder tmp and enter it.
touch foo
ls -la to see permissions
You are missing the point.

Launch a program from the menus to write a file. You will find it follows a different umask than that defined in your .bashrc (or .profile). This being the essence of the question. There was never any doubt that umask is working within terminals.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
8,071
Reaction score
6,928
Credits
65,521
You are missing the point.

Now I get what you're saying. It may be my reading comprehension but it wasn't clear to me (or @osprey, it seems).

Have you seen this:


Which leads me to some other reading. It may be this way by default so that you don't end up creating files with the wrong permissions that then can't be (trivially) edited - such as one person complaining that changing umask had also messed with their network configuration files.

Hmm...

Yeah, I kinda see your point. It's possible to change it upstream and GUI apps then follow it, if you made the change at the window manager or the likes, but then regular users can't adjust it. Huh... While it might result in you shooting yourself in the foot, there should be an easier way to shoot yourself in said foot, but I am not finding a darned thing about it.
 
OP
M

motivation

New Member
Joined
Nov 28, 2022
Messages
17
Reaction score
13
Credits
249
Now I get what you're saying. It may be my reading comprehension but it wasn't clear to me (or @osprey, it seems).

The topic is nuanced. That is probably why it has persisted.

Have you seen this:


Yes, same topic. And yes, this problem is ~~new. Before a user could change their ~/.xinitrc file to put X startup information in. That went away.

Which leads me to some other reading. It may be this way by default so that you don't end up creating files with the wrong permissions that then can't be (trivially) edited - such as one person complaining that changing umask had also messed with their network configuration files.
Ah no. Users working in user space can not break the system. As far as configuation files, the mode bits are easily enough changed.

Also, users can still change their umask and launch programs from a shell. File owners can just run chmod. The problem is that they can not set the umask for those that launch from the GUI, and some users really need the GUI.

The most common reasons for users to desire to change their umask is that the distro default makes all files world readable, and they either have personal things, or do not want their work stolen. Those are reasonable concerns.

There might be historical reasons for this choice of default. It is an old Unix philosophy of sharing configuration files and code between users. But not everyone subscribes, and that is not always appropriate.


Hmm...

Yeah, I kinda see your point. It's possible to change it upstream and GUI apps then follow it, if you made the change at the window manager or the likes, but then regular users can't adjust it. Huh... While it might result in you shooting yourself in the foot, there should be an easier way to shoot yourself in said foot, but I am not finding a darned thing about it.
You have the user's shooting themselves in the foot thing inverted here. What has happened is that users, perhaps like yourself given the first comment, go online and look for the settings on how to keep their files safe and not world readable, or get outdated advice. They then make a .profile with a umask in it. Then sometimes years later they find out that linux has been showing everyone on the system all their files anyway. One user was quite dismayed to find that everyone was able to read her journal.

Since about 2016 users of the major distros have been creating world readable files even when their .profile or even their old .xinitrc says that is not what they want. ... Though it has made it nicer for hackers who can get access to a system but not root priv, for people who like to steal their colleague's work, or those who would like to know what Sarah thinks of them.

Though that leaves us where we started... Is there a Linux distro or dm install option where users may set their umasks for their session? That could be in a ~/.xinitrc file, or in ~/.profile, it does not matter what the file is called.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
8,071
Reaction score
6,928
Credits
65,521
Is there a Linux distro or dm install option where users may set their umasks for their session?

I don't think there is. Lemme ponder this for a day or two, so that I can try a few things. I mean, we can do it so long as files are created in the terminal - which might be the only viable way to do this.

Someone else may step in with something smarter than I am. I think I can see where you'd coming from and it doesn't seem like it'd be too hard to override the current behavior.

Lemme think on it and hopefully someone else chimes in. You're not being forgotten, or anything like that. I'm just not sure where to go from here.
 

osprey

Well-Known Member
Joined
Apr 15, 2022
Messages
404
Reaction score
316
Credits
3,691
I take your points Motivation, and did see the issue from the point of view of the terminal rather than the desktop.

Motivation wrote:
On Debian if a user sets a new one in the ~/.profile then when a program is run from the desktop, it will still ignore the user's umask; however when the same program is run from a shell it will honor the user's umask.

Starting from the shell is the default on my machines since there are no DEs though plenty of GUI programs, and it's been so for at least this century for me, which probably explains my misapprehension of the issue. The only thing that remotely comes to mind is polkit for authentication rules, but I can't say more, and it may not be relevant.
 
Last edited:

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
5,284
Reaction score
3,905
Credits
38,539
You are missing the point.

Launch a program from the menus to write a file. You will find it follows a different umask than that defined in your .bashrc (or .profile). This being the essence of the question. There was never any doubt that umask is working within terminals.
I just created five test files, created one file through the terminal and four other test files through a gui program launched through the menu.
Code:
.rw-r--r--. maarten maarten   0 B  Tue Nov 29 08:49:30 2022 terminal.txt
.rw-r--r--. maarten maarten  22 B  Tue Nov 29 08:50:32 2022 gui_by_pluma.txt
.rw-r--r--. maarten maarten 4.2 KB Tue Nov 29 08:51:24 2022 gui_by_gimp.xcf
.rw-r--r--. maarten maarten   0 B  Tue Nov 29 08:58:34 2022 gui_by_kate.txt
.rw-r--r--. maarten maarten   0 B  Tue Nov 29 09:08:24 2022 gui_by_kwrite.txt
They get the same permissions
Code:
% grep -i umask /etc/profile /etc/bashrc
/etc/bashrc:    # Set default umask for non-login shell only if it is set to 0
/etc/bashrc:    [ `umask` -eq 0 ] && umask 022
So it seems on the distribution I'm using both files created through the terminal and gui use the same umask.
Code:
% head -n2 /etc/os-release
NAME="Fedora Linux"
VERSION="37 (KDE Plasma)"
 
Last edited:

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
5,284
Reaction score
3,905
Credits
38,539
I did the same in a Debian vm I just installed.
Code:
-rw-r--r-- 1 maarten maarten    0 Nov 29 09:29 terminal.txt
-rw-r--r-- 1 maarten maarten    0 Nov 29 09:30 gui_by_pluma.txt
-rw-r--r-- 1 maarten maarten 4273 Nov 29 09:31 gui_by_gimp.xcf
-rw-r--r-- 1 maarten maarten    0 Nov 29 09:31 gui_by_kate.txt
-rw-r--r-- 1 maarten maarten    0 Nov 29 09:32 gui_by_kwrite.txt
The only place I can find umask on Debian are under /etc/skel and under /etc/login.defs
Code:
[email protected]:/etc# grep -iR umask /etc/skel/ /etc/login.defs
/etc/skel/.profile:# the default umask is set in /etc/profile; for setting the umask
/etc/skel/.profile:# for ssh logins, install and configure the libpam-umask package.
/etc/skel/.profile:#umask 022
/etc/login.defs:#    UMASK        Default "umask" value.
/etc/login.defs:# UMASK is the default umask value for pam_umask and is used by
/etc/login.defs:# 022 is the "historical" value in Debian for UMASK
/etc/login.defs:# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
/etc/login.defs:UMASK        022
/etc/login.defs:# Other former uses of this variable such as setting the umask when
On Debian 11 with KDE.
Code:
# head -n2 /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
Maybe it depends on the displaymanager you are using, since KDE uses sddm?
 

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
5,284
Reaction score
3,905
Credits
38,539
And this time I removed sddm and installed lightdm.
Code:
$ dpkg --list | egrep "sddm|lightdm" | awk '{ print $2 }'
liblightdm-gobject-1-0:amd64
lightdm
lightdm-gtk-greeter
And again new test files.
Code:
-rw-r--r-- 1 maarten maarten    0 Nov 29 09:44 terminal.txt
-rw-r--r-- 1 maarten maarten    0 Nov 29 09:44 gui_by_pluma.txt
-rw-r--r-- 1 maarten maarten 4273 Nov 29 09:44 gui_by_gimp.xcf
-rw-r--r-- 1 maarten maarten    0 Nov 29 09:45 gui_by_kate.txt
-rw-r--r-- 1 maarten maarten    0 Nov 29 09:45 gui_by_kwrite.txt
And searching for umask again.
Code:
[email protected]:~# grep -Ri umask  /etc/skel/ /etc/login.defs
/etc/skel/.profile:# the default umask is set in /etc/profile; for setting the umask
/etc/skel/.profile:# for ssh logins, install and configure the libpam-umask package.
/etc/skel/.profile:#umask 022
/etc/login.defs:#    UMASK        Default "umask" value.
/etc/login.defs:# UMASK is the default umask value for pam_umask and is used by
/etc/login.defs:# 022 is the "historical" value in Debian for UMASK
/etc/login.defs:# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
/etc/login.defs:UMASK        022
/etc/login.defs:# Other former uses of this variable such as setting the umask when
And to show I'm using Debian again.
Code:
[email protected]:~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
So I have no idea why you are getting the different umask for gui applications since on my Debian test vm they seem to be the same from my tests, with both sddm and lightdm. This is a default Debian install.
 
Last edited:
OP
M

motivation

New Member
Joined
Nov 28, 2022
Messages
17
Reaction score
13
Credits
249
@f33dm3bits , The point was for the _user_ to be able to change his or her umask so that files are *not* world readable.

Every single one of your file listings in your examples shows all the files being world readable.

You just used the defaults.

Do you use an email client? Do you want your email to be world readable?

Change your umask in ~/.profile, to something like umask 0007. Run a program from a GUI that writes a file. Run the same program from a shell. You will see that file created from the GUI is still world readable.

Show us how a user may change their umask to affect programs launched from the GUI -- you can't do it the systems you tested. If there is a distro where this can be done - you did not demonstrate that.
 
Last edited:
OP
M

motivation

New Member
Joined
Nov 28, 2022
Messages
17
Reaction score
13
Credits
249
I just created five test files, created one file through the terminal and four other test files through a gui program launched through the menu.
Code:
.rw-r--r--. maarten maarten   0 B  Tue Nov 29 08:49:30 2022 terminal.txt
.rw-r--r--. maarten maarten  22 B  Tue Nov 29 08:50:32 2022 gui_by_pluma.txt
.rw-r--r--. maarten maarten 4.2 KB Tue Nov 29 08:51:24 2022 gui_by_gimp.xcf
.rw-r--r--. maarten maarten   0 B  Tue Nov 29 08:58:34 2022 gui_by_kate.txt
.rw-r--r--. maarten maarten   0 B  Tue Nov 29 09:08:24 2022 gui_by_kwrite.txt
They get the same permissions
Code:
[/QUOTE]
Yes all world readable. Exactly the problem.

[QUOTE="f33dm3bits, post: 175890, member: 91839"]

[/QUOTE]
Those all show being world readable. The permissions are in threes, user, group, world. The user set is, 'rw-' read, write, not executable' The group set is 'r--' group readable. The world set is 'r--' world readable.

What you need to show is the user setting the umask, then the GUI respecting it. The world permissions should be '---' showing that the file is not world readable.

World readable files may be read by anyone on the system who has access to the path. Look at your home directory, you will see that the world path may go through it.
 
Last edited:

Condobloke

Well-Known Member
Joined
Apr 30, 2017
Messages
5,546
Reaction score
4,648
Credits
33,684
Thanks f33dm3bits for that sobering investigation.
How can you like that?

Apparently, in much the same way you did yourself.

1669919877312.png
 

f33dm3bits

Gold Member
Gold Supporter
Joined
Dec 11, 2019
Messages
5,284
Reaction score
3,905
Credits
38,539
What you need to show is the user setting the umask, then the GUI respecting it. The world permissions should be '---' showing that the file is not world readable.

Do you use an email client? Do you want your email to be world readable?
First language isn't English so I misread things sometimes.. I haven't touched my mail client directory, but I just just checked that and ~/.thunderbird has 700 permissions.

On a Debian system with KDE Plasma installed, here is my ~/.profile.
Code:
[email protected]:~$ cat ~/.profile
umask 006
The results I get.
Code:
-rw-rw---- 1 tux tux    0 Dec  1 19:39 terminal.txt
-rw-rw---- 1 tux tux    0 Dec  1 19:39 gui_pluma.txt
-rw-rw---- 1 tux tux    0 Dec  1 19:39 gui_kwrite.txt
KDE Plasma uses sddm, and sddm loads a configuration file, depening whether you are using X11 or Wayland.
Code:
[email protected]:~$ ls -l /etc/sddm
total 8
-rwxr-xr-x 1 root root 1628 Mar 17  2021 wayland-session
-rwxr-xr-x 1 root root 1674 Mar 17  2021 Xsession
It has several shells defined but I will only quote bash.
Code:
case $SHELL in
  */bash)
    [ -z "$BASH" ] && exec $SHELL $0 "[email protected]"
    set +o posix
    [ -f /etc/profile ] && . /etc/profile
    if [ -f $HOME/.bash_profile ]; then
      . $HOME/.bash_profile
    elif [ -f $HOME/.bash_login ]; then
      . $HOME/.bash_login
    elif [ -f $HOME/.profile ]; then
      . $HOME/.profile
    fi
    ;;
So this works for sddm, I have't tried with other DisplayManagers but I can look. That was on a Debian vm, on my desktop running Fedora it's not configured by default on sddm but I can setup to load a start Xsetup startup script. So it seems it depends on the distribution how if that is impented by default on not with sddm. I haven't tried other display managers but I will try a few.
 
Last edited:
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation


Top