How to set umask for a system-user?

There are three normal ways to set a user's umask.

  1. Set UMASK in /etc/login.defs
  2. Add pam_umask.so to your PAM configuration in /etc/pam.d
  3. Set it in the shell startup files, e.g. /etc/profile

There is no difference between system users and normal users in this regard.

But I'm assuming you're trying to start a daemon with a custom umask?

The problem is: all of the above options happen when a user logs in. If you're running a daemon, it never logs in. It's started by init, then either runs as root, or calls setuid to run as the system user you specify.

Your main options are:

  1. put umask in your init script (do a grep umask /etc/init.d/* for an example)
  2. configure init to start the program with a custom umask (systemd.exec upstart umask)
  3. if using start-stop-daemon, pass the umask option
  4. modify the program itself to call the umask function or system call

System users differ from ‘normal’ ones in three ways: password expiry, home directory (system users don't have one), and UID (system users are usually below some arbitrary threshold).

In the general case, you're almost entirely out of luck. You can use PAM to set the umask, but PAM selects behaviours based on things other than these three differences.

In other words, you can't get PAM to distinguish between a ‘system’ and ‘non-system’ users. This leaves you with two options:

  • Either you use PAM to set the umask for everyone (e.g. check in /etc/login.defs), then explicitly set the umask for non-system users in /etc/bash.bashrc (or similar);

  • Or you write your own PAM module to do this. I think this would be welcomed by many people, as setting the umask is a common request.

Please take this answer with a generous pinch of salt. This sort of request is pretty common, and I wouldn't be surprised if a better/proper way exists now.