That is most likely the rationale behind the umask that is set (at least on) RHEL systems.
You have your account ‘eric’ and have your files under ~eric
.
The group ‘eric’ can write there too, but since user ‘eric’ is the only member of that group,
it does not matter whether there are other users or not; your files are safe even with 002.
If you do have to write to outside ~eric
, then you have to do something extra anyway.
Lets add another user, ‘rico’. The ‘rico’ has files in ~rico
that you can’t write.
Now, lets add directory /group/common
, group ‘common’ and add both users to group ‘common’.
Furthermore,
chgrp common /group/common
chmod 2770 /group/common
Now both ‘eric’ and ‘rico’ can write to /group/common.
The group sticky bit sets group of every created file to be ‘common’.
If both of you have umask 022, then you have to explicitly chmod g+w
for everything you add so that both can modify the added files.
If both have umask 002, then you don’t have to do that; the default makes it so. (There are still actions that can lead to the need to “fix perms”.)
I do know (Linux) systems (with config probably inherited from Unix) where each user belongs only to group that indicates affiliation. Rather than having
eric : eric common
rico : rico common
one has eric:common
and rico:common
or perhaps
eric:engineering
and rico:marketing
if the users are in different departments.
Note how RHEL’s default sets umask 022 for both. There can be many members in ‘engineering’, who all need write access to the engineering project data. The 022 becomes inconvenient.
You are free to set the default that minimizes needs for fixes in your environment.
PS. The if [ $UID -gt 199 ]
is debatable. /etc/login.defs
has:
#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999
# Extra per user uids
SUB_UID_MIN 100000
SUB_UID_MAX 600100000
SUB_UID_COUNT 65536
- The 0–200 are reserved for system accounts that some packages explicitly create.
- The 201–999 are reserved for system accounts that some packages and admin request.
- The 1000-- are regular accounts.
Why should some system accounts have different umask than other system accounts?
They are all less likely to “share”, aren’t they?