Posted on 2006-05-06
Last Modified: 2012-08-14
1) What is /etc/profile? is mean that all the user that log in to the system will run /etc/profile?
2) What is the suggested value of umask?
Question by:kecoak
    LVL 16

    Expert Comment


    The /etc/profile is for System wide environment and startup programs this is where you can setup
    the bash histroy size e.g. HISTSIZE=100

    If you wanted to set a users UMASK to 022 which is 600 you need to edit the /etc/skel/.bashrc and add the following


    Once this is done the next time you create users they will have the default umask of 600 as the /etc/skel directory
    is exported to the new users directory when a new user is created.
    LVL 23

    Expert Comment

    The  /etc/profile  is a shell initialization file used by bash.   If some users of the system have chosen
    a different shell, such as  csh or tcsh, for instance,  then /etc/profile may not be read when they login
    (/etc/profile is a shell initialization script, and not a "login" script per-se).

    By default, if the user's shell is bash, the contents of /etc/profile will be
    sourced into the shell every time a new interactive shell starts.  

    This means, that not only does the profile run at login, but it runs at other times an interactive shell
    is started, and since it's sourced directly into that shell (rather than run in a subshell), the
    profile script may change shell settings, such as setting environment variables, directory, shell options,
    etc, and they will be carried forward into the session.

    The profile will also be run by a non-interactive shell, if that shel was started using the --login option,
    and the global profile may be bypassed in an interactive shell if it is started using  the
    --noprofile option.

    2)  It depends on security considerations.   It depends on each user's use of the machine, what
    the best default is.  If the system's not running a bunch of services, and there's
    nothing too secret that might be written that local users can get at... I would generally use umask

    umask 022

    This is the default for most systems and has certain merits.

    If you prefer to restrict access, you can often restrict the home directory... I.E.  chmod 700 /root  .
    Root creates in the world need to be readable for the system to work properly,  and anything
    super-secret should  be explicitly protected.

    The umask 022  errs away from privacy and towards disclosure, however.
    From a pure security standpoint the umask should be 077; by default, no-one other than the owner
    is allowed to read or write to the file, is better.

    However, this can be inconvenient if readability is not a big issue for most files (as is generally the case),
    and users on the system need/want to read files created by another that aren't especially

    You can place the command   "umask 022"  in /etc/profile.
    However, individual users may have  a    ~username/.bash_profile  
    or other file sourced by their profile  (commonly .bashrc)  set to override it.

    More permissible users can set their umask to  002  if they want; allowing anyone in the
    file's group to (by default)  to edit new files they make;  more restrictive users can still set their
    umask to 077.

    This is good in the sense that it allows every user to personalize their umask, if they know about it
     -- it may make it harder for you, it means there's no quick and simple way to specifically
    and definitely set everyone's umask.

    Usually users other than root can safely work with a stricter umask, but using 077
    or 027  are more secure but may actually be an annoyance, if their primary use of the machine is
    to build a website, or something that other users need to read anyway.

    027  <--   Owner has full permissions,  group can read,   the world has no permissions

    077  <--  Owner has full permissions, group/world have none.

    Making group or world-write by default  would usually be too dangerous;  there are places that a
    umask of  002  or 007  makes sense -- for some specific editing task in a group-controlled

    (However, for such applications, using an ACL-enabled file system and setting specific default
    permissions for any group directory, using  setfacl   would be better for such applications than umask,
    would be preferrable and more flexible in such cases)


    Author Comment


    The profile will also be run by a non-interactive shell, if that shel was started using the --login option,
    and the global profile may be bypassed in an interactive shell if it is started using  the
    --noprofile option.

    1) --- where do you set this?

    2) I can see umask is also set under etc/login.defs, what's the different?

    3) 077  <--  Owner has full permissions, group/world have none. Is it the convention is the same as chmod ? Therefore 077 should means ---RWXRWX not as you described? which is 700
    LVL 23

    Accepted Solution

    1) These options are specified the command line, when the shell is started... I.E.  if you started
       a shell by running

       /bin/bash --login

       The new shell you start would be treated as a login shell.

       Normally, you only get login shells when you first login, or when you run a command such as
       "su -";  which as given, specifies a login shell.

    2) The login.defs  umask is the default UMASK after login, which applies unless you or the user
    overrides it, for instance, in the profile, or the login script.

    I would suggest applying your desired umask to  /etc/login.defs  first

    3)  The convention is the same as chmod, but that's not how a mask works.

    The umask specifies permission bits that are MASKED (not enabled) by default;
     To find the default permissions that would be set by applying a particular umask....

       1. Start with 777
       2. Subtract the umask from 777
       3. If the new file is a directory, then leave it as is, otherwise  turn off the  exec bits.

    A umask of  777,  means that the default permissions for new files will be chmod 000.

    A umask of 000,  means that the default permissions for new files will be chmod 666, and
    new directories will be 777.

    (Formally, you start with   666 for a file, or 777 for a directory, and  turn off all permission bits
     that are turned on in the umask, to find the default permissions for a new file.)

    To see this, you need to realize, that file permissions are octal number representations of
    binary numbers that are treated as bitflags.

    That is, each binary digit of the number corresponds to a permission -- if the corresponding bit is set
    to on, then the permission is enabled, otherwise, it's off.

    Each digit of the umask/chmod corresponds to 3 binary digits:

     0        ==> 000
     1        ==> 001
     2        ==> 010
     3        ==> 011
     4        ==> 100
     5        ==> 101
     6        ==> 110
     7        ==> 111

    So the umask 022, corresponds to   000 010 010


    User, Group, World; and the 3 permissions are  read, write, and execute.

    User,  000   means  R=0,  W=0,  X=0
    Group, 010  means  R=0,  W=1,  X=0
    World,  010 means  R=0,  W=1,  X=0

    Since   W=1  for   Group and world,   write permission will be BLOCKED, when a file
    is created.

    LVL 3

    Expert Comment

    Hi kecoak,

    Check my answer in the following question:

    I hope it helps you. =0)

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Network Interface Card (NIC) bonding, also known as link aggregation, NIC teaming and trunking, is an important concept to understand and implement in any environment where high availability is of concern. Using this feature, a server administrator …
    How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
    Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
    Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now