Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: How does one set umask to 077 including for GUI apps?

  1. #1
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    5,288
    Distro
    Ubuntu

    Question How does one set umask to 077 including for GUI apps?

    I know how to set umask to 077 (equivalent to umask u=rwx,go=) in .bashrc and .profile. However, that only affects CLI apps that run from the terminal.

    I want everything in my home to be umask 077, even when using GUI apps such as Nautilus or GIMP.

    I've searched the internet and found several answers. Only one of them worked, but there's a problem.

    Here's the one that worked:

    1. Edit /etc/login.defs
    2. Change UMASK 022 to UMASK 077
    3. Change USERGROUPS_ENAB yes to USERGROUPS_ENAB no
    4. Restart the machine.

    This does indeed work (with a couple of curious exceptions such as in flatpak's ~/.var).

    The problem is that this affects not just my user but also root, which has the potential to cause problems.

    I want something that will affect only my user (and, optionally, and other non-root user).

    Is this possible?

    I'm using Ubuntu 22.04.

    Thank you
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  2. #2
    Join Date
    May 2024
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: How does one set umask to 077 including for GUI apps?

    You could try setting umask in /etc/passwd, but I have to ask ... what do you think a more restrictive value will meaningfully add to your system?

  3. #3
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    5,288
    Distro
    Ubuntu

    Re: How does one set umask to 077 including for GUI apps?

    Quote Originally Posted by currentshaft View Post
    You could try setting umask in /etc/passwd
    Thank you, I'll try that. Is there a "proper" way to do it, or do I simply edit the password file?
    Quote Originally Posted by currentshaft View Post
    what do you think a more restrictive value will meaningfully add to your system?
    It feels like the right thing to do. The default umask is 022, which means that files by default grant access to all. That seems strange; if two or more users share a computer (each with their own user account), surely they should be able to expect privacy by default? I could use umask 027 instead of 022, I suppose, but the question remains.
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  4. #4
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    5,288
    Distro
    Ubuntu

    Re: How does one set umask to 077 including for GUI apps?

    I've been looking up the syntax of the password file, and it doesn't contain information about the umask.

    Did you mean /etc/passwd, or something else?
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  5. #5
    Join Date
    May 2024
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: How does one set umask to 077 including for GUI apps?

    It's /etc/password, specifically the GECOS field (https://en.wikipedia.org/wiki/Gecos_field)

    It's an optional field that is usually blank.

    Looks like the "chfn" command supports setting it via the "other" field - https://manpages.ubuntu.com/manpages...n1/chfn.1.html

    In my opinion, and this is not meant to be derogatory nor discourage anyone from hardening their system, I believe the user separation boundary on a Linux system is extremely trivial to cross, and while umask is a good hygiene practice, it is not a meaningful security control.

  6. #6
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    5,288
    Distro
    Ubuntu

    Re: How does one set umask to 077 including for GUI apps?

    Quote Originally Posted by currentshaft View Post
    It's /etc/password, specifically the GECOS field (https://en.wikipedia.org/wiki/Gecos_field)
    Thanks, but that field seems to hold only information (name, telephone, that sort of thing), nothing to do with umask.
    Quote Originally Posted by currentshaft View Post
    Looks like the "chfn" command supports setting it via the "other" field - https://manpages.ubuntu.com/manpages...n1/chfn.1.html
    Thank you.
    Quote Originally Posted by currentshaft View Post
    In my opinion, and this is not meant to be derogatory nor discourage anyone from hardening their system, I believe the user separation boundary on a Linux system is extremely trivial to cross, and while umask is a good hygiene practice, it is not a meaningful security control.
    OK, thanks. Perhaps it's sufficient to set /home/[user] to user-access only.

    I still think that the default shouldn't allow read-access to everyone, though.
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  7. #7
    Join Date
    Aug 2016
    Location
    Wandering
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: How does one set umask to 077 including for GUI apps?

    If you wanted to try a short term first, and I do it on occasion:
    Code:
    umask -S
    u=rwx,g=rx,o=rx
    That's a normal return with umask default.
    Code:
    umask
    0022
    Remember short term here.
    My change with:
    Code:
    [root@cachyos-zfs me]# umask 077
    [root@cachyos-zfs me]# umask
    0077
    That was root permissions as seen above. (Only use if you what and why)
    This for a normal session:
    Code:
    umask 077
    ┌───────────────────>
    │~ 
    └─> umask && umask -S
    0077
    u=rwx,g=,o=
    Maybe give it whirl first to test how it affects your system.
    With realization of one's own potential and self-confidence in one's ability, one can build a better world.
    Dalai Lama>>
    Code Tags | System-info | Forum Guide lines | Arch Linux, Debian Unstable, FreeBSD

  8. #8
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    5,288
    Distro
    Ubuntu

    Re: How does one set umask to 077 including for GUI apps?

    Quote Originally Posted by 1fallen View Post
    If you wanted to try a short term first…
    Thanks, @1fallen, but that doesn't work with GUI apps. I already set umask 077 in both ~/.bashrc and ~/.profile, so it's automatically set in the console and the terminal (for my user only, which is what I want). GUI apps don't see it unless you start the GUI from the terminal.
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  9. #9
    Join Date
    Aug 2016
    Location
    Wandering
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: How does one set umask to 077 including for GUI apps?

    Understood and Respectfully, I really should have read your first post.

    I don't know of a way to do this, and I'm pretty sure you don't really want to do it.

    I know someone who experimented with locking down the default perms (as you're trying to do), then It changed their network settings, and some of the network settings files wound up unreadable and the network became unusable. You may not think of System Preferences as an app that creates files, but it is and it does.

    Paddy are you joining MI6....
    Last edited by 1fallen; 3 Weeks Ago at 10:15 PM.
    With realization of one's own potential and self-confidence in one's ability, one can build a better world.
    Dalai Lama>>
    Code Tags | System-info | Forum Guide lines | Arch Linux, Debian Unstable, FreeBSD

  10. #10
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    5,288
    Distro
    Ubuntu

    Re: How does one set umask to 077 including for GUI apps?

    Quote Originally Posted by 1fallen View Post
    I'm pretty sure you don't really want to do it…
    I shall defer to your greater wisdom.
    Quote Originally Posted by 1fallen View Post
    Paddy are you joining MI6....
    Ha ha! I am simply growing more paranoid these days. My ex-wife was just scammed (again), and I keep reading stories of people who fall prey to hackers, and it makes me think.

    But, given what you and @currentshaft have said, it seems as though my efforts are a waste of time!

    I'll leave it as is.

    Thank you both for your input!
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

Page 1 of 3 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •