How to programmatically maintain umask in /etc/profile and /etc/bashrc

Question

I am looking for a way to programmatically maintain a consistent umask in the files /etc/profile and /etc/bashrc. They have an entry such as follows:

if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
  umask 002
else
  umask 022
fi

So I would like to programmatically check for the first if statement above. If found, check to verify the next line is a umask (and not a comment) and if so, set it back to my standard umask if it has deviated from it. I realize I could just copy the entire file but would rather not disturb other changes that may have been made. I'm sure someone has done with with sed/awk/grep and can share or perhaps have thoughts on how to achieve this? I am required to maintain a umask for the login shell and for the non-login shell. It references this at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/assembly_managing-the-umask_configuring-basic-system-settings. Thank you.

Answer 1

I fail to understand why this could make any sense (see comments), but your task can be done like this:

sed -i".bak" '\_if \[ $UID -gt 199 ] && \[ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then_,/^[^#]*else/s/^\([^#]*umask\).*/\1 002/' /etc/profile /etc/bashrc

The address range covers all lines between your if clause and the next not-comment else. In this line a not-comment umask is changed to 002.

Note that you need to escape the [ and that I did choose the underscore as delimiter for the first address to avoid escaping all slashes.

If really somebody/something is changing those files, you might consider using a more flexible pattern for the if line; otherwise changing the if line along with the umask line will break the script. Maybe

sed -i".bak" '/if.*$UID *-gt *199/,/^[^#]*else/s/^\([^#]*umask\).*/\1 002/' /etc/profile /etc/bashrc

Answer 2

I am looking for a way to programmatically maintain a consistent umask in the files /etc/profile and /etc/bashrc. They have an entry such as follows:

if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
  umask 002
else
  umask 022
fi

I would like to programmatically check for the first if statement above. If found, check to verify the next line is a umask (and not a comment) and if so, set it back to my standard umask if it has deviated from it.

Why would comments appear in the middle of the if command? There are none in your example. You can simplify this process greatly by having the code identically formatted anywhere you need to check for its presence. If you can do that, here's a Python script that will do what you're asking. Make sure the code text between the triple quotes is exactly the same at is appears in the files you want to check (although in this case it really doesn't cause any problems if the code appears more than once in a script):

snippet = '''
if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
  umask 002
else
  umask 022
fi
'''
with open('/etc/profile','r+') as f:
    if snippet not in f.read():
        f.write(snippet)
with open('/etc/bashrc','r+') as f:
    if snippet not in f.read():
        f.write(snippet)

Because the write locations are root-owned you would need to use sudo when invoking the script: sudo python myscript.py or sudo python3 myscript.py. The script checks if /etc/bashrc and /etc/profile contain the block of text defined in snippet and if not it is appended to the file(s).

Is this even worth doing?

Since you express concerns that the content of /etc/bashrc and /etc/profile might get changed I have to wonder who you think would be doing those changes. If it's the system itself, well the umask values you want to use are the defaults anyway so I can't see the system changing those to anything else. On the other hand, if you've got a gremlin or another sudoer who fiddles with those files...

It's important to realize that a test which tells you the code text is already in the script tells you nothing about whether that code will be executed. It's very easy to make some subtle changes that will make your code not execute despite it being in the script.

Here's one where the code only executes if false = true (i.e., never):

if false; then

if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
  umask 002
else
  umask 022
fi

fi

This one wraps the code in a HEREDOC string which is never called.

: <<'no-umask-4u'

if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
  umask 002
else
  umask 022
fi

no-umask-4u

This one simply changes the umask after your code executes (very simple example here):

if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
  umask 002
else
  umask 022
fi

umask 077

Now what? In all of the above scenarios any programmatic test for the presence of your code text in the scripts will pass even though the code will never actually be executed (or in the case of the last one it executes but is subsequently overridden).

I realize I could just copy the entire file but would rather not disturb other changes that may have been made.

Generating a sha1 hash of the file and checking to see if it ever changes might be worth considering (it would certainly be more robust than a simple check if the code is in the file somewhere). I am curious what would be the source of the "other changes" you're concerned about.