change default umask to 027

as per:

https://forums.whonix.org/t/change-default-umask/7416/47

debian/control

@@ -146,7 +146,7 @@ Description: enhances misc security settings
  .
  access rights restrictions:
  .
-  * The default umask is changed to 006. This allows only the owner and group
+  * The default umask is changed to 027. This allows only the owner and group
  to read and write to newly created files.
  /etc/login.defs.security-misc
  /usr/share/pam-configs/usergroups-security-misc
@@ -157,8 +157,8 @@ Description: enhances misc security settings
  https://wiki.debian.org/UserPrivateGroups
  /usr/share/pam-configs/usergroups-security-misc
  .
-  * Create home directory on login with umask 006 using
- pam_mkhomedir.so umask=006
+  * Create home directory on login with umask 027 using
+ pam_mkhomedir.so umask=027
  /usr/share/pam-configs/mkhomedir-security-misc
  .
   * Removes read, write and execute access for others for all users who have

etc/login.defs.security-misc

@@ -44,7 +44,7 @@ FAILLOG_ENAB		yes
 #
 # Enable display of unknown usernames when login failures are recorded.
 #
-# WARNING: Unknown usernames may become world readable. 
+# WARNING: Unknown usernames may become world readable.
 # See #290803 and #298773 for details about how this could become a security
 # concern
 LOG_UNKFAIL_ENAB	no
@@ -117,7 +117,7 @@ ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
 # However, the default and recommended value for TTYPERM is still 0600
 # to not allow anyone to write to anyone else console or terminal
 
-# Users can still allow other people to write them by issuing 
+# Users can still allow other people to write them by issuing
 # the "mesg y" command.
 
 TTYGROUP	tty
@@ -131,7 +131,7 @@ TTYPERM		0600
 #	UMASK		Default "umask" value.
 #
 # The ERASECHAR and KILLCHAR are used only on System V machines.
-# 
+#
 # UMASK is the default umask value for pam_umask and is used by
 # useradd and newusers to set the mode of the new home directories.
 # 022 is the "historical" value in Debian for UMASK
@@ -148,7 +148,7 @@ TTYPERM		0600
 #
 ERASECHAR	0177
 KILLCHAR	025
-UMASK		  006
+UMASK		  027
 
 #
 # Password aging controls:
@@ -197,7 +197,7 @@ LOGIN_TIMEOUT		60
 # any combination of letters "frwh" (full name, room number, work
 # phone, home phone).  If not defined, no changes are allowed.
 # For backward compatibility, "yes" = "rwh" and "no" = "frwh".
-# 
+#
 CHFN_RESTRICT		rwh
 
 #

etc/sudoers.d/umask-security-misc

@@ -1,5 +1,5 @@
 ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.
 
-Defaults umask = 006
+Defaults umask = 027
 Defaults umask_override

usr/share/pam-configs/mkhomedir-security-misc

@@ -4,4 +4,4 @@ Priority: 100
 Session-Type: Additional
 Session-Interactive-Only: yes
 Session:
-	optional	pam_mkhomedir.so umask=006
+	optional	pam_mkhomedir.so umask=027

usr/share/pam-configs/usergroups-security-misc

@@ -1,6 +1,6 @@
-Name: change default umask to 006 (by package security-misc)
+Name: change default umask to 027 (by package security-misc)
 Default: yes
 Priority: 256
 Session-Type: Additional
 Session:
-	optional	pam_umask.so	usergroups umask=006
+	optional	pam_umask.so	usergroups umask=027