>>>>> "Bob" == Bob Rosbag <[email protected]> writes:
Bob> Did some more testing. useradd uses USERGROUPS_ENAB in
Bob> /etc/login.defs and adduser uses USERGROUPS in
Bob> /etc/adduser.conf This is only used for creating new users.
Bob> Active users, independent by which tool they were created, use
Bob> UMASK in /etc/login.defs (since Trixie). When the primary group
Bob> name is the same username, then group permissions are equal to
Bob> owner permissions. The 'group' entry in the UMASK value is
Bob> ommited. Only way to get a different umask for 'group'
Bob> relative to 'owner' is setting umask in
Bob> /etc/profile. Services/applications started by systemd don't
Bob> use /etc/profile and 'UMask' in systemd seems non-functional so
Bob> there is no way to get an effective umask of 022 in kde/plasma.
This is by design.
I think the idea is that you want to be able to set the group bits in
the mask to read only if some users don't have usergroups (system users
etc), but to get write bits enabled for users where usergroups are in
use.
Here's the code.
if (options->usergroups)
{
/* if not root and username is the same as primary group name,
set umask group bits to be the same as owner bits
(examples: 022 -> 002, 077 -> 007). */
if (pw->pw_uid != 0)
{
struct group *grp = pam_modutil_getgrgid (pamh, pw->pw_gid);
if (grp && (strcmp (pw->pw_name, grp->gr_name) == 0))
{
mode_t oldmask = umask (0777);
umask ((oldmask & ~070) | ((oldmask >> 3) & 070));
}
}
}
It seems like for your use case you could turn off usergroups but
manually set up a user group for your single user.
Also, there's apparently a mechanism to set user umask from the gecos
field in /etc/passwd. That overrides the above code.
