By default debian and ubuntu give all users read permission on files and folders. If you work in a shared environment with files stored on NFS you probably want to change this to:
u | g | o | |
folders | rwx | rwx | — |
files | rw | rw | — |
The achieve this you need to edit the umask in several places.
Bash sessions
/etc/profile# The default umask is now handled by pam_umask. # See pam_umask(8) and /etc/login.defs.* `/etc/login.defs`/etc/login.defs
#!diff --- /etc/login.defs 2012-04-09 04:32:02.000000000 +0200 +++ login.defs 2014-03-27 13:58:04.637305820 +0100 @@ -148,7 +148,7 @@ # ERASECHAR 0177 KILLCHAR 025 -UMASK 022 +UMASK 007 # # Password aging controls:
Checking:
# ~$ ssh $user@$server # user@server:~$ umask 0007
Explanation from bash man page:
# ~$ man bash When bash is invoked as an interactive login shell, or as a non-inter active shell with the --login option, it first reads and executes commands from the file /etc/profile, if that file exists. After reading that file, it looks for ~/.bash_profile, ~/.bash_login, and ~/.profile, in that order, and reads and executes commands from the first one that exists and is readable.
Xsession sessions
To make sure your X11 applications use the correct umask you have to create an extra file in the `/etc/X11/Xsession.d`-folder:
~$ echo "umask 007" | sudo tee /etc/X11/Xsession.d/10x11-common-umask
Checking:
Nautilus application:
Open the `Desktop` location:
~$ nautilus ~/Desktop
Create a new file from the `file`-menu and check the permissions in bash:
user@server:~/Desktop$ ls -lha new file -rw-rw----+ 1 user user 0 2010-02-05 12:00 new file
OpenOffice application:
Create a new document on the Desktop and check the permissions in bash:
user@server:~/Desktop$ ls -lha *.odt -rw-rw----+ 1 user user 7,3K 2010-02-05 12:00 testdocument.odt
Explanation from bash man page:
# ~$ man xsession Xsession next confirms that its script directory, Xsession.d, exists. If it does not, the script aborts. After the script directory is confirmed to be present, Xsession uses run-parts(1) to identify files in that directory that should be sourced (executed) in the shell's environment. Only files named in a certain way are sourced; see the run-parts manual page for a description of valid characters in the filename. (This restriction enables the administrator to move experimental or problematic files out of the way of the script but keep them in an obvious place, for instance by renaming them with ‘.old’ or ‘.broken’ appended to the filename.)
Samba
If you use samba to share documents you might also want to change the samba settings:
/etc/samba/smb.confcreate mask = 0660 directory mask = 2770