pam_umask

pam_umask.so [usergroups] [debug] [silent] [umask=0XXX] [login_defs] [none]

usergroups
    If specified, the umask is set based on the UMASK value from /etc/login.defs. Specifically, if USERGROUPS_ENAB is 'yes' and the primary group name is the same as the username, the umask becomes 0002; otherwise, the UMASK value from login.defs is used directly (typically 0022).

debug
    Enables verbose debugging output, which is typically sent to syslog for diagnostic purposes.

silent
    Suppresses all informational and error messages that the module might otherwise emit, ensuring a quiet operation.

umask=0XXX
    Explicitly sets the umask to the octal value 0XXX (e.g., 0022 for common file permissions, 0027 for stricter permissions). This option overrides any umask derived from login.defs or other sources.

login_defs
    This is the default behavior if no umask or usergroups options are specified. The umask is read from the UMASK entry in /etc/login.defs. This option can be explicitly used for clarity.

none
    Specifies that the pam_umask module should not set the umask at all for this particular PAM service line. This can be useful for selectively disabling its functionality.

pam_umask is a PAM (Pluggable Authentication Modules) module designed to set the user's default file creation mask (umask) upon session initialization. This module ensures that newly created files and directories adhere to specified permission defaults, enhancing system security. It typically reads umask values from system-wide configuration files like /etc/login.defs (using the UMASK and USERGROUPS_ENAB variables) or can be configured with an explicit umask value directly in the PAM configuration. Integrated into the PAM stack, usually within the session type, pam_umask applies these settings before the user's shell or other applications start, providing a consistent and centrally managed umask policy across different login services such as SSH, console logins, and graphical desktop sessions.

The order of modules in the PAM stack is crucial; a later module or user shell startup scripts (e.g., .bashrc, .profile) can override the umask set by pam_umask. It is recommended to place pam_umask.so within the session PAM type. Proper configuration of /etc/login.defs (specifically UMASK and USERGROUPS_ENAB) is necessary for the module's default behavior.

pam_umask is configured by adding a line to a PAM service file in /etc/pam.d/, typically in the session section. For example: session optional pam_umask.so to use defaults, or session required pam_umask.so umask=0027 to enforce a specific umask.

The umask value is a bit mask that specifies which permission bits are removed from the default file (0666) and directory (0777) permissions.
For example:
A umask of 0022 results in new files having permissions 0644 (rw-r--r--) and directories 0755 (rwxr-xr-x).
A umask of 0027 yields 0640 and 0750 respectively, providing more restrictive group and other permissions.

The module attempts to determine the umask from several sources, prioritizing explicit settings:
1. An explicit umask=0XXX option specified in the PAM configuration line.
2. The UMASK and USERGROUPS_ENAB variables found in /etc/login.defs.
3. (Historically) A specific umask entry in the user's /etc/passwd GECOS field, though this method is less common or supported on modern systems.

Part of the standard Linux-PAM suite, pam_umask has been a fundamental module for enforcing file creation permissions since the widespread adoption of PAM. It addresses the system administration need for a centralized, robust mechanism to manage default user umask settings, ensuring consistent security postures across different login services without relying solely on user-specific shell configurations.

pam(8), login.defs(5), umask(2), umask(1)