Default umask is 022 for ALL users, even when not wanted

Moving this to the system tools package. Maybe the GUI is imposing its own umask instead of following the default umask?

Lee, thank you for taking the time to help make Ubuntu better. Just as a double check, could you please post the output of the 'umask' command in your terminal?

That's nothing to do with the gnome-system-tools. umask is set by some other part of the system, have a look at /etc/profile and /etc/skel/.profile.

Lee Bryant: note that umask does not allow users to read other users' files: it decides what are the permissions of the user's own files.

The default umask on Ubuntu is 022 -- meaning user files and directories will be created with 755 permissions, at most. This matches the directories shown in the description.

Adjusted the bug title.

OK, here is umask output in the home/ dir

generic@generic-laptop:/home$ umask -p
umask 0022
generic@generic-laptop:/home$ umask -S
u=rwx,g=rx,o=rx
generic@generic-laptop:/home$

Why would I want for someone (or anyone) to waltz into any other users folder and monkey around? I have tax forms on one user, while another is meant for a room mate. I don't think that this is the best security feature here. I know that 9.04 upset a lot of people with just one folder being public. But why would you now want them ALL to be public?

I disagree. Security and convenience usually do not go together; a default umask of 022 is a nice middle-term: by default you can see other user's directories and files, but you cannot *change* them.

On my laptop this is a perfectly acceptable umask. On my servers I usually force a default umask of 077 -- meaning that by *default* only the creator/owner has *any* access to files created by him/her.

As *you* want more lockdown, others would rather have less.

BTW, 'umask' is set for the session (terminal, login), not for a particular directory.

Hum. I should rather have said "privacy and convenience", as opposed to "security and convenience".

That's all fine and good, but I think that having even read only access to others files seems weird. I have medical, financial and other sensitive information as does my room mate. It seems like bad policy to let anyone snoop around your stuff. I don't see what good it is to allow this.

Sorta like having a window with no blinds. Sure you can't climb in, or do much of anything. But you can get a long peak, especially in sensitive areas (bedroom, bathroom, you get the idea.) As you mentioned you can't change anything inside, but it sure can make for compromised information.

I followed the request for umask. I did not comment on its philosophy.

Don't be too snarky with the *comments* It comes across as rude.

If this is considered normal (umask 022) should I conclude this thread?

Or is it possible to have a review and look at giving non-power users (like me) the option of deciding on policy via the GUI?

Thanks,
Lee

Having a GUI for that would be good, but it's hard to tell where we should show this kind of setting, other than in an optional advanced users control applet. For most desktop users, the current default is fine. Anyway, a bug report is not the place to discuss that.

Changing the default policy should be discussed on a development mailing list such as ubuntu-devel-discuss, though I don't think developers will accept to change it. If you want a GUI to be created, this would require a specification with considerations about the interface, where to put it etc., and somebody willing to work on it. Not so easy!

For now, I can advise you to:
- edit your personal umask in ~/.bash_profile, which is not so hard to do, and possibly to the same in /etc/profile for new users too
- or simply make the root of your home folder readable only by you. This will prevent people from discovering what's in it, even if they could theoretically read the files if they knew their path. This is easy to do graphically and should be enough in the case of your roommate.

Thanks for your attention to this problem, anyway!

<personal view>
I think it would be cool to have a programme/package/whatever that would allow one to create/change/delete security and privacy policies (or a series of pre-defined policy sets allowing for some pre-defined views, like "I trust the world", "Mandatory Access Control", "Privacy", or whatever). This is not an easy task, though, and may require synchronisation and/or dependancies between a series of packages.

But it sure would beat having to (as in your case) edit different files, in different places, to change the default umask, and having to 'cd ~ && chmod -R o-rwx *' to take out any "other" access to your home dir.

Why don't you propose it?
</personal view>

I am sorry if I sounded snarky. I am unsure, though, where it happened.

That *could* go into users-admin, since I can't find another place to put it. Or maybe a nautilus option in the properties of your home dir could be good. Changing the default umask is something that the system-tools-backends can do, but ATM only in /etc/login.defs, so tweaking /etc/profile and ~/.bash_profile is not really trivial to do. Then we'd also have to add support for changing file permissions, not complex, but still some work.

I won't have time to do this in this cycle anyways, but that may be an idea for later, it would fit nicely into the rework users-admin GUI.

C de-Avillez,
Sorry if I came across as aggressive too. I was desperately tired and felt extremely frustrated. When I woke in the morning I felt like an arse, so my apologies.

Thanks for the idea on an app. The biggest problem I had with using chown/chmod was the -R command. It works fine until it comes across the .gvfs in your home folder. Even as sudo it won't allow me to change. I've read about it, and it seems to be designed that way for reasons I don't understand. There is a steep learning curve when using the CLI.

My best solution is to log is:
1) Log in as user of accout
2) Start Nautilus
3) navigate (via Nautilus) to the home folder.
4) Right click on the folder your own folder within home
5) goto Properties
6) goto Permissions
7) set up desired permissions
8) click on "Apply Permissions to Enclosed files"
9) Mission accomplished

It has been recommended that I
"- edit your personal umask in ~/.bash_profile, which is not so hard to do, and possibly to the same in /etc/profile for new users too"

This is part of the CLI learning curve. I don't know how to do it, but if anyone could give me some advice I'd greatly appreciate it.

Thanks for the help.
Lee

Milan,
Why not place this is the rework users-admin GUI anyways? It may be until 10.04 or 10.06 but it would be useful for beginners (and people in between worlds) to know this stuff and learn it anyways.

I've always wondered why there isn't more of a bridge between GUI to CLI. One day everything is nice and see, point and click. The next thing you have to do is run some sort of shell program or edit a file. It's a big leap. I go through the man pages or online resources but they are clearly not meant for someone like me. the closest I've come to a good resource that speaks to me is "The Linux Phrase Book."

Thanks,
Lee

@Lee

Some points:

(1) it is strange that ~/.gvfs gives you an error. Can you please run, from your home dir, 'ls -laR .gvfs' and paste the output here?

(2) for the snarky (or not): no problems. I am told that I tend to be too direct-to-the-point, so to speak. My question was genuine (I am trying to be more, er, nice).

(3) for the 'man' pages (and the 'info' pages as well): indeed. It is well-known that the UNIX manual pages are not a place for one to *learn* UNIX -- they usually describe the commands, and the options, but it is assumed all over that one already *knows* most of the stuff (and is just looking for a specific option, or refreshing the memory). I do not know of any freely-available "CLI for the Beginners" book, but there is the Ubuntu Pocket Guide and Reference that goes into some details (not too much, though). It is available from Google Books (http://books.google.com/books?id=kHLlJzI6L20C&printsec=frontcover#v=onepage&q=&f=false). CAVEAT: I have not read it. Another option is the Official Ubuntu Guide, just released -- and a good book.

Hi,
Here's the output

generic@generic-laptop:~$ ls -laR .gvfs
.gvfs:
total 4
dr-x------ 2 generic generic 0 2009-11-14 21:45 .
drwxr-xr-x 29 generic generic 4096 2009-11-14 21:45 ..
generic@generic-laptop:~$

Don't worry about the snarky comment. It can be hard to read emotion over an
email.

Thanks for the info on additional books, etc.

Questions:
I would like to track my messages, bugs etc on launchpad. However I cannot
find a way to do so. I must be missing something. For instance, I cannot
this thread on launchpad. The only way I can respond is either by email or
what was once a link. I installed a PGP so I could directly write to
launchpad. But this has limited utility.

Thanks,
Lee

On Sat, Nov 14, 2009 at 6:45 PM, C de-Avillez <email address hidden> wrote:

> @Lee
>
> Some points:
>
> (1) it is strange that ~/.gvfs gives you an error. Can you please run,
> from your home dir, 'ls -laR .gvfs' and paste the output here?
>
> (2) for the snarky (or not): no problems. I am told that I tend to be
> too direct-to-the-point, so to speak. My question was genuine (I am
> trying to be more, er, nice).
>
> (3) for the 'man' pages (and the 'info' pages as well): indeed. It is
> well-known that the UNIX manual pages are not a place for one to *learn*
> UNIX -- they usually describe the commands, and the options, but it is
> assumed all over that one already *knows* most of the stuff (and is just
> looking for a specific option, or refreshing the memory). I do not know
> of any freely-available "CLI for the Beginners" book, but there is the
> Ubuntu Pocket Guide and Reference that goes into some details (not too
> much, though). It is available from Google Books
> (
> http://books.google.com/books?id=kHLlJzI6L20C&printsec=frontcover#v=onepage&q=&f=false
> ).
> CAVEAT: I have not read it. Another option is the Official Ubuntu Guide,
> just released -- and a good book.
>
> --
> Default umask is 022 for ALL users, even when not wanted
> https://bugs.launchpad.net/bugs/481825
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “base-files” package in Ubuntu: Won't Fix
>
> Bug description:
> Problem:
> 1) Add User GUI appears to work fine.
> 2) GUI show each user with unique goup and id.
> 3) Nautilus will allow you to breeze through ALL users, ALL files, AND
> execute others scripts.
> 4) CLI shows each user defined by chown drwx_rx_x
>
> I've posted this previously in much greater detail. I didn't get a response
> the first time, so I figured I just did something wrong and no one wanted to
> address a silly mistake. So I did a fresh install and I have the *same exact
> problem*
>
> Whenever I add a user via the "Add User" GUI it adds a user. However this,
> and all users have complete permissions over anyone else (777.)
>
> I am not talking about the Public folder. I am talking about ALL folders
> and files.
>
>
> Terminal Output:
>
> generic@generic-laptop:/home$ ls -al
> total 36
> drwxr-xr-x 6 root root 4096 2009-11-13 04:10 .
> drwxr-xr-x 21 root root 4096 2009-11-13 03:40 ..
> drwxr-xr-x 2 bark bark 4096 2009-11-13 04:07 bark
> drwxr-xr-x 2 center center 4096 2009-11-13 0...

Hi,
Here's the output

generic@generic-laptop:~$ ls -laR .gvfs
.gvfs:
total 4
dr-x------&nbsp; 2 generic generic&nbsp;&nbsp;&nbsp; 0 2009-11-14 21:45 .
drwxr-xr-x 29 generic generic 4096 2009-11-14 21:45 ..
generic@generic-laptop:~$

Don't worry about the snarky comment. It can be hard to read emotion over an email.

Thanks for the info on additional books, etc.

Questions:
Iwould like to track my messages, bugs etc on launchpad. However Icannot find a way to do so. I must be missing something. For instance,I cannot this thread on launchpad. The only way I can respond is eitherby email or what was once a link. I installed a PGP so I could directlywrite to launchpad. But this has limited utility.

Thanks,
Lee

On Sat, Nov 14, 2009 at 6:45 PM, C de-Avillez &lt;<email address hidden>&gt; wrote:
@Lee

Some points:

(1) it is strange that ~/.gvfs gives you an error. Can you please run,
from your home dir, 'ls -laR .gvfs' and paste the output here?

(2) for the snarky (or not): no problems. I am told that I tend to be
too direct-to-the-point, so to speak. My question was genuine (I am
trying to be more, er, nice).

(3) for the 'man' pages (and the 'info' pages as well): indeed. It is
well-known that the UNIX manual pages are not a place for one to *learn*
UNIX -- they usually describe the commands, and the options, but it is
assumed all over that one already *knows* most of the stuff (and is just
looking for a specific option, or refreshing the memory). I do not know
of any freely-available "CLI for the Beginners" book, but there is the
Ubuntu Pocket Guide and Reference that goes into some details (not too
much, though). It is available from Google Books
(http://books.google.com/books?id=kHLlJzI6L20C&amp;printsec=frontcover#v=onepage&amp;q=&amp;f=false).
CAVEAT: I have not read it. Another option is the Official Ubuntu Guide,
just released -- and a good book.

--
Default umask is 022 for ALL users, even when not wanted
https://bugs.launchpad.net/bugs/481825
You received this bug notification because you are a direct subscriber
of the bug.

Status in “base-files” package in Ubuntu: Won't Fix

Bug description:
Problem:
1) Add User GUI appears to work fine.
2) GUI show each user with unique goup and id.
3) Nautilus will allow you to breeze through ALL users, ALL files, AND execute others scripts.
4) CLI shows each user defined by chown drwx_rx_x

I've posted this previously in much greater detail. I didn't get a response the first time, so I figured I just did something wrong and no one wanted to address a silly mistake. So I did a fresh install and I have the *same exact problem*

Whenever I add a user via the "Add User" GUI it adds a user. However this, and all users have complete permissions over anyone else (777.)

I am not talking about the Public folder. I am talking about ALL folders and files.

Terminal Output:

generic@generic-laptop:/home$ ls -al
total 36
drwxr-xr-x &nbsp;6 root &nbsp; &nbsp;root &nbsp; &nbsp; 4096 2009-11-13 04:10 .
drwxr-xr-x 21 root &nbsp; &nbsp;root &nbsp; &nbsp; 4096 2009-11-13 03:40 ..
drwxr-xr-x &nbsp;2 bark &nbsp; &nbsp;bark &nbsp; &nbsp; 4096 2009-11...