> This is by design.
> I think the idea is that you want to be able to set the group bits in
> the mask to read only if some users don't have usergroups (system users
> etc), but to get write bits enabled for users where usergroups are in
> use.
>
> Here's the code.
>
> if (options->usergroups)
> {
> /* if not root and username is the same as primary group name,
> set umask group bits to be the same as owner bits
> (examples: 022 -> 002, 077 -> 007). */
> if (pw->pw_uid != 0)
> {
> struct group *grp = pam_modutil_getgrgid (pamh, pw->pw_gid);
> if (grp && (strcmp (pw->pw_name, grp->gr_name) == 0))
> {
> mode_t oldmask = umask (0777);
> umask ((oldmask & ~070) | ((oldmask >> 3) & 070));
> }
> }
> }
>
>
> It seems like for your use case you could turn off usergroups but
> manually set up a user group for your single user.
>
> Also, there's apparently a mechanism to set user umask from the gecos
> field in /etc/passwd. That overrides the above code.
>
The gecos field was the only option I did not try yet but it does indeed
work. Thanks!
chfn -o "umask=0022" jack
Resulted in jack:jack 644
I already converted everything to 1000:100 or bob:users with umask 022 and
disabling UPG is also easy to implement within live-build images.
But good to know the gecos field works.
