Users and groups in Debian: getting it right

Published by Matthew Davidson on Thu, 19/10/2017 - 1:15pm in

So ideally when I set up a new computer, I want all the users I trust — including, by necessity and regrettably, myself — to be in the staff group, and all the files they create to be by default writable by anyone in that group. This ought to be easy, and in fact now is, but has changed repeatedly over the decades I've been using Debian GNU/Linux, so I can never remember how it's done, hence this note.

You will need to do all this as root, and to be on the safe side, make sure any user(s) you want to put into the staff group are not currently logged in, as files and directories in the affected home directories will be reassigned to the group, which (I guess) won't work for any currently opened by a running process.

If you enable the pam_umask PAM module, you will only need to configure group-writability once, and it will work regardless of whether you're logging in locally, SSHing, or whatever. As root, edit /etc/pam.d/common-session to include this line:

session optional        pam_umask.so

Then edit the umask line in /etc/login.defs like so:

UMASK 002

If yours isn't a fresh Debian install, the umask setting may already have been overridden in one or more of:

  • /etc/profile
  • /etc/bash.bashrc
  • ~/.profile
  • ~/.bashrc

If so, delete or comment out where necessary. (Source)

Adding a user to the staff group is:

usermod -a -G staff myusername

Making staff the user's primary group — the one which by default newly created files and directories are owned by — is just:

usermod -g staff myusername

Too easy.