How to change umask mode permanently?

A simple man -k umask should have led you to reading man pam_umask, whish says, in part:

DESCRIPTION
pam_umask is a PAM module to set the file mode creation mask of the
current environment. The umask affects the default permissions assigned
to newly created files. 

It also says,

The PAM module tries to get the umask value from the following places
   in the following order:

   ·   umask= argument

   ·   umask= entry in the user's GECOS field

   ·   UMASK= entry from /etc/default/login

   ·   UMASK entry from /etc/login.defs (influenced by USERGROUPS_ENAB in
       /etc/login.defs)

Thanks @waltinator for pointing me for the right direction.

From here I figured easy step how to set umask mode to 0027 just run in terminal:

sudo gedit /etc/login.defs

or with nano which one you prefer.

search for the line:

Prefix these values with "0" to get octal, "0x" to get hexadecimal.

ERASECHAR   0177
KILLCHAR    025
UMASK       027

Edit the last line refering UMASK this will set umask to 0007 to take effect simply log out and log in back.

Make a notice on the lines above: If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value...used as group permissions, e. g. 022 will become 002

So for the umask 0027 to take effect roll down to the line:

USERGROUPS_ENAB yes

and change it to:

USERGROUPS_ENAB no

Done. After you logged out and log in back run in terminal umask and it'll give you 0027 mode.

Now create a new file with touch in terminal:

touch testfile

now check the permissions:

stat -c %a ~/testfile

It should give you 640

UPDATE

There's another simple way:

nano ~/.bashrc

add

#Set umask mode
umask 0027

Close and save, logout and login. Should work for you as well.


I was using JoKeR's answer above to achieve a system wide umask of 027 but I was conscious that when I used USERGROUPS_ENAB no it required more group management. So I feel I have found a better answer, basically:

  1. Make sure that the pam-modules package is installed; that makes the pam_umask module available.
  2. Make sure that /etc/pam.d/common-session has a line of the form
    session optional pam_umask.so
    so that pam_umask is enabled.
  3. According to the pam_umask man page, the default umask is determined at login by checking each of the following places, in order:
    • A hard system-wide default set in /etc/pam.d/common-session. To set it this way, replace the line from that file mentioned above with this:
      session optional pam_umask.so umask=027
    • An entry in an individual user's GECOS field in /etc/passwd overrides a soft system-wide default for that specific user. Create that entry using a command of the form:
      chfn --other='umask=027' username
    • A line of the form UMASK=027 in /etc/default/login (you may need to create that file) sets a soft system-wide default.
    • The UMASK value from /etc/login.defs. That value is also used for something else (computing the permissions on the home directory of a new user that is being created; see the comments in /etc/login.defs for more details). So it is best to avoid relying on this for setting the default umask for regular logins, to keep things separate.

So now for me I use the first option (system-wide default set in /etc/pam.d/common-session) and it's working really well.

Good luck my friends :)