change default umask to 027

as per:

https://forums.whonix.org/t/change-default-umask/7416/47

etc/login.defs.security-misc

@@ -44,7 +44,7 @@ FAILLOG_ENAB		yes
 #
 # Enable display of unknown usernames when login failures are recorded.
 #
-# WARNING: Unknown usernames may become world readable. 
+# WARNING: Unknown usernames may become world readable.
 # See #290803 and #298773 for details about how this could become a security
 # concern
 LOG_UNKFAIL_ENAB	no
@@ -117,7 +117,7 @@ ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
 # However, the default and recommended value for TTYPERM is still 0600
 # to not allow anyone to write to anyone else console or terminal
 
-# Users can still allow other people to write them by issuing 
+# Users can still allow other people to write them by issuing
 # the "mesg y" command.
 
 TTYGROUP	tty
@@ -131,7 +131,7 @@ TTYPERM		0600
 #	UMASK		Default "umask" value.
 #
 # The ERASECHAR and KILLCHAR are used only on System V machines.
-# 
+#
 # UMASK is the default umask value for pam_umask and is used by
 # useradd and newusers to set the mode of the new home directories.
 # 022 is the "historical" value in Debian for UMASK
@@ -148,7 +148,7 @@ TTYPERM		0600
 #
 ERASECHAR	0177
 KILLCHAR	025
-UMASK		  006
+UMASK		  027
 
 #
 # Password aging controls:
@@ -197,7 +197,7 @@ LOGIN_TIMEOUT		60
 # any combination of letters "frwh" (full name, room number, work
 # phone, home phone).  If not defined, no changes are allowed.
 # For backward compatibility, "yes" = "rwh" and "no" = "frwh".
-# 
+#
 CHFN_RESTRICT		rwh
 
 #

etc/sudoers.d/umask-security-misc

@@ -1,5 +1,5 @@
 ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.
 
-Defaults umask = 006
+Defaults umask = 027
 Defaults umask_override