Change system wide default file permissions

By default debian and ubuntu give all users read permission on files and folders. If you work in a shared environment with files stored on NFS you probably want to change this to:

u g o
folders rwx rwx
files rw rw

The achieve this you need to edit the umask in several places.

Bash sessions

# The default umask is now handled by pam_umask.
# See pam_umask(8) and /etc/login.defs.* `/etc/login.defs`
--- /etc/login.defs 2012-04-09 04:32:02.000000000 +0200
+++ login.defs 2014-03-27 13:58:04.637305820 +0100
@@ -148,7 +148,7 @@
-UMASK 022
+UMASK 007
 # Password aging controls:


 # ~$ ssh $user@$server
 # user@server:~$ umask

Explanation from bash man page:

# ~$ man bash
When bash is invoked as an interactive login shell, or as a non-inter active shell with the --login option, it first reads and executes commands from the file /etc/profile, if that file exists. After reading that file, it looks for ~/.bash_profile, ~/.bash_login, and ~/.profile, in that order, and reads and executes commands from the first one that exists and is readable.

Xsession sessions

To make sure your X11 applications use the correct umask you have to create an extra file in the `/etc/X11/Xsession.d`-folder:

~$ echo "umask 007" | sudo tee /etc/X11/Xsession.d/10x11-common-umask


Nautilus application:
Open the `Desktop` location:

~$ nautilus ~/Desktop

Create a new file from the `file`-menu and check the permissions in bash:

user@server:~/Desktop$ ls -lha new file
-rw-rw----+ 1 user user 0 2010-02-05 12:00 new file

OpenOffice application:
Create a new document on the Desktop and check the permissions in bash:

user@server:~/Desktop$ ls -lha *.odt
-rw-rw----+ 1 user user 7,3K 2010-02-05 12:00 testdocument.odt

 Explanation from bash man page:

# ~$ man xsession
Xsession next confirms that its script directory, Xsession.d, exists. If it does not, the script aborts. After the script directory is confirmed to be present, Xsession uses run-parts(1) to identify files in that directory that should be sourced (executed) in the shell's environment. Only files named in a certain way are sourced; see the run-parts manual page for a description of valid characters in the filename.
(This restriction enables the administrator to move experimental or problematic files out of the way of the script but keep them in an obvious place, for instance by renaming them with ‘.old’ or ‘.broken’ appended to the filename.)


If you use samba to share documents you might also want to change the samba settings:

create mask = 0660
directory mask = 2770


Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *