On Red Hat by default file creation results in `-rw-r--r--` how to make any file creation (no matter the program used (`touch`, `python`...)) result in `-rw-------` by default?
Jun 5, 12:33pm

To ensure that all new files created by any user or program (e.g., touch, python, etc.) on a Red Hat system have the permissions -rw------- (i.e., 600) by default, you need to set the umask system-wide.

Solution: Set the System-Wide Umask

1. Understand Umask

  • The default umask for regular users is usually 022, which results in new files having permissions 644 (-rw-r--r--).
  • To get 600 (-rw-------), the umask must be 077.

2. Set Umask System-Wide

To apply this for all users and processes, you need to modify the PAM (Pluggable Authentication Modules) configuration and the systemd service manager (for system services).

A. For User Sessions (Login Shells)

Edit /etc/profile and /etc/bashrc (or /etc/bash.bashrc) to include:

bash
umask 077

This ensures that all interactive shells (for all users) use umask 077.

B. For System Services (systemd)

Edit /etc/systemd/system.conf and uncomment/modify the following line:

ini
DefaultUMask=0077

Then, reload systemd:

bash
sudo systemctl daemon-reload

This ensures that all services started by systemd (e.g., cron jobs, web servers, etc.) use umask 077.

C. For PAM (All User Sessions)

Edit /etc/login.defs and set:

ini
UMASK 077

This affects all user sessions, including non-interactive ones.

D. For Existing Users

If you want to enforce this for existing users, you can also add umask 077 to:

  • /etc/profile.d/custom_umask.sh (create this file if it doesn't exist)
  • /etc/bashrc (for non-login shells)

Example for /etc/profile.d/custom_umask.sh:

bash
#!/bin/sh
umask 077

Make it executable:

bash
sudo chmod +x /etc/profile.d/custom_umask.sh

3. Verify the Changes

  • Log out and log back in (or restart the system).

  • Test file creation:

    bash
    touch testfile
ls -l testfile

    The output should show -rw-------.

  • For Python:

    python
    open("testfile.py", "w").close()

    Check permissions:

    bash
    ls -l testfile.py

    Should also be -rw-------.

4. Important Notes

  • Root User: If you want the root user to also follow this umask, ensure the above changes are applied to root's environment (e.g., /root/.bashrc).
  • Existing Files: This only affects newly created files. Existing files retain their current permissions.
  • Directories: By default, directories are created with 755 (drwxr-xr-x). With umask 077, new directories will be 700 (drwx------). If you want directories to remain 755, you need a more granular approach (e.g., using ACLs or custom scripts).

5. Alternative: Use ACLs (Advanced)

If you need more fine-grained control (e.g., different umasks for different users/groups), consider using Access Control Lists (ACLs) with setfacl. However, this is more complex and not necessary for your use case.

Summary of Steps

/etc/profile
Add umask 077
/etc/bashrc
Add umask 077
/etc/login.defs
Set UMASK 077
/etc/systemd/system.conf
Set DefaultUMask=0077
/etc/profile.d/custom_umask.sh
Create with umask 077

After applying these changes, all new files created by any user or process will have -rw------- permissions by default.

Jun 5, 12:33pm

This is a shared conversation and may include unverified content that doesn't reflect Mistral AI's views. Login to resume chatting.

Vibe can make mistakes. Check answers. Learn more