Posted on 2006-05-06
Medium Priority
Last Modified: 2012-08-14
1) What is /etc/profile? is mean that all the user that log in to the system will run /etc/profile?
2) What is the suggested value of umask?
Question by:kecoak
LVL 16

Expert Comment

ID: 16621316

The /etc/profile is for System wide environment and startup programs this is where you can setup
the bash histroy size e.g. HISTSIZE=100

If you wanted to set a users UMASK to 022 which is 600 you need to edit the /etc/skel/.bashrc and add the following


Once this is done the next time you create users they will have the default umask of 600 as the /etc/skel directory
is exported to the new users directory when a new user is created.
LVL 23

Expert Comment

ID: 16621758
The  /etc/profile  is a shell initialization file used by bash.   If some users of the system have chosen
a different shell, such as  csh or tcsh, for instance,  then /etc/profile may not be read when they login
(/etc/profile is a shell initialization script, and not a "login" script per-se).

By default, if the user's shell is bash, the contents of /etc/profile will be
sourced into the shell every time a new interactive shell starts.  

This means, that not only does the profile run at login, but it runs at other times an interactive shell
is started, and since it's sourced directly into that shell (rather than run in a subshell), the
profile script may change shell settings, such as setting environment variables, directory, shell options,
etc, and they will be carried forward into the session.

The profile will also be run by a non-interactive shell, if that shel was started using the --login option,
and the global profile may be bypassed in an interactive shell if it is started using  the
--noprofile option.

2)  It depends on security considerations.   It depends on each user's use of the machine, what
the best default is.  If the system's not running a bunch of services, and there's
nothing too secret that might be written that local users can get at... I would generally use umask

umask 022

This is the default for most systems and has certain merits.

If you prefer to restrict access, you can often restrict the home directory... I.E.  chmod 700 /root  .
Root creates in the world need to be readable for the system to work properly,  and anything
super-secret should  be explicitly protected.

The umask 022  errs away from privacy and towards disclosure, however.
From a pure security standpoint the umask should be 077; by default, no-one other than the owner
is allowed to read or write to the file, is better.

However, this can be inconvenient if readability is not a big issue for most files (as is generally the case),
and users on the system need/want to read files created by another that aren't especially

You can place the command   "umask 022"  in /etc/profile.
However, individual users may have  a    ~username/.bash_profile  
or other file sourced by their profile  (commonly .bashrc)  set to override it.

More permissible users can set their umask to  002  if they want; allowing anyone in the
file's group to (by default)  to edit new files they make;  more restrictive users can still set their
umask to 077.

This is good in the sense that it allows every user to personalize their umask, if they know about it
 -- it may make it harder for you, it means there's no quick and simple way to specifically
and definitely set everyone's umask.

Usually users other than root can safely work with a stricter umask, but using 077
or 027  are more secure but may actually be an annoyance, if their primary use of the machine is
to build a website, or something that other users need to read anyway.

027  <--   Owner has full permissions,  group can read,   the world has no permissions

077  <--  Owner has full permissions, group/world have none.

Making group or world-write by default  would usually be too dangerous;  there are places that a
umask of  002  or 007  makes sense -- for some specific editing task in a group-controlled

(However, for such applications, using an ACL-enabled file system and setting specific default
permissions for any group directory, using  setfacl   would be better for such applications than umask,
would be preferrable and more flexible in such cases)


Author Comment

ID: 16623454

The profile will also be run by a non-interactive shell, if that shel was started using the --login option,
and the global profile may be bypassed in an interactive shell if it is started using  the
--noprofile option.

1) --- where do you set this?

2) I can see umask is also set under etc/login.defs, what's the different?

3) 077  <--  Owner has full permissions, group/world have none. Is it the convention is the same as chmod ? Therefore 077 should means ---RWXRWX not as you described? which is 700
LVL 23

Accepted Solution

Mysidia earned 2000 total points
ID: 16623575
1) These options are specified the command line, when the shell is started... I.E.  if you started
   a shell by running

   /bin/bash --login

   The new shell you start would be treated as a login shell.

   Normally, you only get login shells when you first login, or when you run a command such as
   "su -";  which as given, specifies a login shell.

2) The login.defs  umask is the default UMASK after login, which applies unless you or the user
overrides it, for instance, in the profile, or the login script.

I would suggest applying your desired umask to  /etc/login.defs  first

3)  The convention is the same as chmod, but that's not how a mask works.

The umask specifies permission bits that are MASKED (not enabled) by default;
 To find the default permissions that would be set by applying a particular umask....

   1. Start with 777
   2. Subtract the umask from 777
   3. If the new file is a directory, then leave it as is, otherwise  turn off the  exec bits.

A umask of  777,  means that the default permissions for new files will be chmod 000.

A umask of 000,  means that the default permissions for new files will be chmod 666, and
new directories will be 777.

(Formally, you start with   666 for a file, or 777 for a directory, and  turn off all permission bits
 that are turned on in the umask, to find the default permissions for a new file.)

To see this, you need to realize, that file permissions are octal number representations of
binary numbers that are treated as bitflags.

That is, each binary digit of the number corresponds to a permission -- if the corresponding bit is set
to on, then the permission is enabled, otherwise, it's off.

Each digit of the umask/chmod corresponds to 3 binary digits:

 0        ==> 000
 1        ==> 001
 2        ==> 010
 3        ==> 011
 4        ==> 100
 5        ==> 101
 6        ==> 110
 7        ==> 111

So the umask 022, corresponds to   000 010 010


User, Group, World; and the 3 permissions are  read, write, and execute.

User,  000   means  R=0,  W=0,  X=0
Group, 010  means  R=0,  W=1,  X=0
World,  010 means  R=0,  W=1,  X=0

Since   W=1  for   Group and world,   write permission will be BLOCKED, when a file
is created.


Expert Comment

ID: 16675250
Hi kecoak,

Check my answer in the following question:

I hope it helps you. =0)

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses
Course of the Month17 days, 10 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question