Where does umask get set at system startup? Mine seems to have changed to 0002 recently

Fri Apr 23 13:43:15 UTC 2021

On Fri, Apr 23, 2021 at 12:53:20PM +0100, Chris Green wrote:
> Yes, but this (now standard) configuration of every user having a
> unique group ID as well does make groups pretty useless.

On the contrary, it makes it easier to cooperate with other users using
groups, because by default files you create are in your own group (so
group-writability is safe) but if your umask is 002 then you can chgrp
them to something else and then people in that group immediately have
the right access without also having to remember to chgrp g+w (a very
common speedbump).  I've used multi-user systems that default to both
the common approaches, and the approach of having each user in their own
group works much more smoothly in practice.

The other common approach of having every human user have their primary
group set to "users" is, I'm afraid, entirely wrongheaded.  There are no
realistic situations I can think of where making some resource
accessible to the "users" group is usefully distinct from
world-accessibility (all it does is distinguish humans from system
users, but that's not a common requirement in practice), and so it's
mainly just a waste of a permissions bit: unless you've chgrped files
you create to something else, making them group-writable is almost as
dangerous on such systems as making them world-writable, unless you
implicitly trust every other human user.  The rare sysadmin that
actually has a need to distinguish humans from system users can always
create a group for the purpose, but it has no business being the default
and should not be used as people's primary group ID.

Whether umask is set to 022 or 002 is a slightly separate issue from
whether you use single-user primary groups or a big "users" primary
group, but single-user primary groups allows setting it to 002 safely.

> Admittedly most Linux systems are probably single user so it makes no
> odds really.

The practice of every user having a separate primary group ID long
predates the trend for most Linux systems to be single-user (Debian has
been doing it since the 1990s), and the rationale for it was always to
make life easier on multi-user systems.  In fact nowadays the problem
often seems to be that so many people have relatively little experience
of using shell accounts on multi-user systems that it's become harder
for people to intuitively grasp the benefits of this approach.

-- 
Colin Watson (he/him)                              [cjwatson at ubuntu.com]