Linux 如何设置系统范围的umask?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10220531/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to set system wide umask?
提问by HansHarhoff
I am working in a lab where we are running Linux (Debian and Ubuntu). Usernames and group names are handled by NIS and yp. We have some common users that everybody has access to that run the experiments and then we each have our own users in addition there is a common group that we are all a member of.
我在一个运行 Linux(Debian 和 Ubuntu)的实验室工作。用户名和组名由 NIS 和 yp 处理。我们有一些公共用户,每个人都可以访问运行实验,然后我们每个人都有自己的用户,此外还有一个我们都是成员的公共组。
How can I make such that all files and directories on the shared /home/drive (NFS) is read/write(/executable) by user/group? Basically what I want is
如何使共享/home/驱动器 (NFS)上的所有文件和目录都可以被用户/组读/写(/可执行)?基本上我想要的是
chmod -R 664 /home
chgrp -R commongroup /home
or equivalently umask 0002.
或等效地umask 0002。
But running the above commands only fixes the current files in the folders and umask only works for single users and has to be run every time a user logs in ie. in the .bashrcfile (and will this work for changes mode via gnome?). Is there a system wide command or setting that I could use to make sure that our commongroup has write access to the common files?
但是运行上述命令只能修复文件夹中的当前文件,而 umask 仅适用于单个用户,并且每次用户登录时都必须运行,即。在.bashrc文件中(这是否适用于通过 gnome 的更改模式?)。是否有一个系统范围的命令或设置可以用来确保我们的 commongroup 具有对公共文件的写访问权限?
采纳答案by ephemient
Both Debian and Ubuntu ship with pam_umask. This allows you to configure umask in /etc/login.defsand have them apply system-wide, regardless of how a user logs in.
Debian 和 Ubuntu 都附带pam_umask。这允许您配置 umask/etc/login.defs并让它们在系统范围内应用,而不管用户如何登录。
To enable it, you may need to add a line to /etc/pam.d/common-sessionreading
要启用它,您可能需要在/etc/pam.d/common-session阅读中添加一行
session optional pam_umask.so
or it may already be enabled. Then edit /etc/login.defsand change the UMASKline to
或者它可能已经启用。然后编辑/etc/login.defs并将该UMASK行更改为
UMASK 002
(the default is 022).
(默认为022)。
Note that users may still override umask in their own ~/.profileor ~/.bashrcor similar, but (at least on new Debian and Ubuntu installations) there shouldn't be any overriding of umask in /etc/profileor /etc/bash.bashrc. (If there are, just remove them.)
请注意,用户仍然可以在他们自己的~/.profile或~/.bashrc类似的文件中覆盖 umask ,但是(至少在新的 Debian 和 Ubuntu 安装中)不应在/etc/profile或 中覆盖任何 umask /etc/bash.bashrc。(如果有,只需删除它们。)
回答by Yitz
First, make sure that the pam-modulespackage is installed. That makes the pam_umaskmodule available. Then make sure that /etc/pam.d/common-sessionhas a line of the form
首先,确保pam-modules安装了软件包。这使得该pam_umask模块可用。然后确保/etc/pam.d/common-session有一行表格
session optional pam_umask.so
so that pam_umaskis enabled.
这样pam_umask就启用了。
Now, according to the pam_umaskman page, the default umask is determined at login by checking each of the following places, in order:
现在,根据pam_umask手册页,通过依次检查以下每个位置,在登录时确定默认 umask:
A hard system-wide default set in
/etc/pam.d/common-session. To set it this way, replace the line from that file mentioned above with this:session optional pam_umask.so umask=002An entry in an individual user's GECOS field in
/etc/passwdoverrides a soft system-wide default for that specific user. Create that entry using a command of the form:chfn --other='umask=002' usernameAn line of the form
UMASK=002in/etc/default/login(you may need to create that file) sets a soft system-wide default.The
UMASKvalue from/etc/login.defs. That value is also used for something else (computing the permissions on the home directory of a new user that is being created; see the comments in/etc/login.defsfor more details). So it is best to avoid relying on this for setting the default umask for regular logins, to keep things separate.
在
/etc/pam.d/common-session. 要以这种方式设置,请将上述文件中的行替换为:session optional pam_umask.so umask=002单个用户的 GECOS 字段中的条目
/etc/passwd会覆盖该特定用户的软系统范围默认值。使用以下形式的命令创建该条目:chfn --other='umask=002' username表单
UMASK=002中的一行/etc/default/login(您可能需要创建该文件)设置软系统范围的默认值。该
UMASK从价值/etc/login.defs。该值还用于其他用途(计算正在创建的新用户的主目录的权限;/etc/login.defs有关更多详细信息,请参阅 中的注释)。因此,最好避免依赖此设置常规登录的默认 umask,以保持独立。
So in your case, you should configure this either in /etc/default/loginif you want it to be possible to override the setting for individual users, or set it in /etc/pam.d/common-sessionas described above if you want it to be the same for all users.
因此,在您的情况下,/etc/default/login如果您希望它可以覆盖单个用户的设置,则应该配置它,或者/etc/pam.d/common-session如果您希望它对所有用户都相同,则应如上所述进行设置。
Note that even with the hard default setting, users can still override the default umaskmanually by using the umaskcommand at the shell prompt or in their .profilescript.
请注意,即使使用硬默认设置,用户仍然umask可以通过umask在 shell 提示符或.profile脚本中使用命令手动覆盖默认设置。
Also note that the traditional Unix way to set this default is by adding a umaskcommand to /etc/profile, and that would also still work. But it's not the recommended way to configure things like this on Ubuntu, because that is hard to manage reliably using scripts and GUIs.
另请注意,设置此默认值的传统 Unix 方法是向 中添加umask命令/etc/profile,这也仍然有效。但这不是在 Ubuntu 上配置这样的东西的推荐方式,因为使用脚本和 GUI 很难可靠地管理它。
Note, unfortunately this stopped working for any application which has been converted to launch via systemd --user.
请注意,不幸的是,这对于任何已转换为通过systemd --user.
回答by speedstream
In order to match up the group rights, on the server, the set gid bit (one of the "sticky bits") can be considered as an additional option.
为了匹配组权限,在服务器上,可以将设置 gid 位(“粘滞位”之一)视为附加选项。
If the shared directory is linked to the group, launching (using root) : chmod -R 2775 folder_for_the_groupmay be interesting.
如果共享目录链接到组,启动(使用 root): chmod -R 2775 folder_for_the_group可能会很有趣。
For any new file created in the folder, the creator will be the owner, but the group will be automatically specified (as long as the creator is part of the group).
对于文件夹中创建的任何新文件,创建者将是所有者,但会自动指定组(只要创建者是组的一部分)。
Rights' grid now appears as -rwxrwsr-x+
权限的网格现在显示为 -rwxrwsr-x+
