Ubuntu: default access mode (permissions) for users home dir (/home/user)

When creating a user using useradd --create-home username, the skeleton directory (usually /etc/skel) is copied, including its permissions.

The home directory (/home/username) is subject to the UMASK setting in /etc/login.defs. This is set to 022 by default, so the permissions for /home/username becomes 755.

Relevant excerpt from the Ubuntu manual page of useradd:

The following configuration variables in /etc/login.defs change the behavior of this tool:
UMASK (number)

The file mode creation mask is initialized to this value. If not specified, the mask will be initialized to 022.

useradd and newusers use this mask to set the mode of the home directory they create

Default permission of user home can be controlled in following places.

  • The skeleton directory option (-k, --skel SKEL_DIR) of useradd.
  • SKEL value in /etc/adduser.conf that define default skeleton directory.
  • DIR_MODE value in /etc/adduser.conf that define default permissions.

Home directory of new users are created using /etc/skel as a template (default behavior).
Default permission of /etc/skel is 0755 (drwxr-xr-x).
Using a custom skeleton directory with correct permissions will allow new home directories to have desired permissions.

Defaults for adduser are defined in /etc/adduser.conf.
Default value of DIR_MODE in /etc/adduser.conf is 0755.
Changing DIR_MODE to correct permissions (DIR_MODE=0750 or similar) will allow new home directories to have desired permissions.
According to Ubuntu documentation, this seems to be the best option.

Already existing user home directories will need to be manually changed.

sudo chmod 0750 /home/username

So its a good idea to change /etc/adduser.conf right after the installation to avoid new users getting 0755 (drwxr-xr-x) type permissions.
Still the very first user created during installation will have 0755 set to its home directory, which should be manually changed.

UMASK in /etc/login.defs is a general setting for files/directories/etc created by users (not only in their home directories). and could get changed depending on USERGROUPS_ENAB in /etc/login.defs.

The official explanation: User Management - User Profile Security
Check other sections of User Management as well.

Related: https://askubuntu.com/questions/46501/why-can-other-users-see-the-files-in-my-home-folder

Note : Don't change the UMASK value in /etc/login.defs if you want to change the home directory permissions only. Cause changing the UMASK will affect everything.

I once followed the same and when i installed any package system wide using pip it was not accessible to other users and was constantly throwing permission denied. Since the default UMASK affected the permission of all the package directories that got created after the changes were applied.

The correct way is to modify DIR_MODE in /etc/adduser.conf. Since the /etc/adduser.conf is used in most linux distros so this solution works for most.