How do you apply umask settings to an account that doesn't log in?

5

2

On my Ubuntu 11.04x64 server, I have service accounts running which do not log in and do not have home directories. These service accounts are responsible for running processes which are invoked as services.

When these services created new files, I need them to be created with the permissions 664 (UMASK 002).

I edited the /etc/profile umask setting to reflect this. I see that now my user account creates files which reflect this new umask setting, but the service accounts do not when I manually created files using their accounts (sudo -u serviceaccount touch newfile).

Any suggestions?

nfarrar

Posted 2011-08-04T03:19:02.453

Reputation: 331

1I've also edited the UMASK setting in /etc/login.defs - but this does not work either. – nfarrar – 2011-08-04T03:21:32.963

Answers

3

If the services are started via Upstart or /etc/init.d, edit the appropriate initscripts.

  • init.d: umask 02 at the top of script (they are ordinary sh scripts)
  • Upstart: umask 02 anywhere

Linux does not have a strict definition of "login", and an account is merely an UID that can (or cannot) be associated with a name/homedir/etc.

When you log in on console/over SSH, the login program (or the SSH daemon) uses PAM to set up the environment (possibly pam_umask), then starts your shell with the "login" flag. The /etc/profile script belongs to the sh and bash shells, which only read it for "login" invocations.

When you use sudo touch ... or sudo /etc/init.d/foo start, sudo still calls PAM for auth/account/session setup, but does not start the shell at all, meaning all "profile" or "bashrc" files will be ignored. (That is, unless you use sudo -i ....)

When Upstart runs a service, it simply switches the UID to that of your service, skipping any "profile" scripts or PAM configuration. The only configuration that is read is the service's file in /etc/init, which is where you should put the umask setting.

user1686

Posted 2011-08-04T03:19:02.453

Reputation: 283 655

3

Actually it's also umask 002 for upstart, our experiments show. The upstart documentation has a misleading example.

– Bart Schuller – 2013-08-09T17:12:29.120

Asked: 2011-08-04T03:19:02.453

Viewed: 4 885 times

Active: 2014-11-11T02:23:56.717