pam_umask

pam_umask.so [debug] [umask=value] [user=[list of users]] [group=[list of groups]] [override=value] [ignore]

debug
    Logs debug information to syslog. Useful for troubleshooting.

umask=value
    Specifies the umask value in octal format (e.g., umask=0022). If not specified, the default umask is used.

user=[list of users]
    Apply settings only to specified users. Comma-separated list.

group=[list of groups]
    Apply settings only to specified groups. Comma-separated list.

override=value
    Override value for specific user. Only available on `session` call

ignore
    ignore error if fails to set umask. It should be available only in session call

This PAM (Pluggable Authentication Modules) module, pam_umask.so, allows the system administrator to set a process's file creation mask (umask) when a user authenticates. The umask controls the default permissions assigned to newly created files and directories. It can be set globally or on a per-user basis.

By default, pam_umask sets the umask to 0077 (equivalent to octal 77), meaning new files will be created with read and write permissions for the owner only, and new directories will be created with read, write, and execute permissions for the owner only. Different values can be specified in the configuration file. The pam_umask module is typically configured in the /etc/pam.d/login, /etc/pam.d/sshd and other relevant service configuration files. Note that root user have different behavior.

Incorrectly configured umasks can have significant security implications. For example, a very permissive umask (e.g., 0000) could result in sensitive files being world-readable or writable.

The module can be called only once for each session.

PAM_SUCCESS
The module succeeded.
PAM_OPEN_ERR
Memory allocation failure.
PAM_SYMBOL_ERR
Symbol not found.
PAM_SERVICE_ERR
Can not determine user name.
PAM_PERM_DENIED
The user is root and no argument given or argument user/group doesnt match user's attributes
PAM_SESSION_ERR
The session is already managed
PAM_AUTH_ERR
The user is root and umask override is not set.
PAM_BUF_ERR
Internal buffer error

The pam_umask module has been a standard part of most Linux distributions for a long time, providing a consistent way to manage file creation masks across different services. It was developed as part of the PAM framework to standardize authentication-related tasks and provide flexibility for system administrators.

umask(1), pam.conf(5)