How to set umask for a system-user?

https://unix.stackexchange.com/questions/36220/how-to-set-umask-for-a-system-user

Q: Is it possible to set the umask for a system-user (created with useradd --system username)?

A: There are three normal ways to set a user's umask.

1. Set UMASK in /etc/login.defs
2. Add pam_umask.so to your PAM configuration in /etc/pam.d
3. Set it in the shell startup files, e.g. /etc/profile

There is no difference between system users and normal users in this regard.

But I'm assuming you're trying to start a daemon with a custom umask?

The problem is: all of the above options happen when a user logs in. If you're running a daemon, it never logs in. It's started by init, then either runs as root, or calls setuid to run as the system user you specify.

Your main options are:

1. put umask in your init script (do a grep umask /etc/init.d/* for an example)
2. configure init to start the program with a custom umask (systemd.exec upstart umask)
3. if using start-stop-daemon, pass the umask option
4. modify the program itself to call the umask function or system call

ANOTHER PATH:

http://xopo3o.blogspot.com/2017/07/how-to-set-umask-for-user-has.html

Come back to the last week, I worked on case "change umask for SFTP/ SSH user"

At that time, I simply thought that it is umask. So I added umask to ~/.bashrc and ~/.bash_profile.

But nothing to change. It means that I need think logically.

User login -> ssh -> pam.d/ssh -> /etc/profile (~/.bash_profile)

Why? 
A few second I see that user's ssh/ sftp has shell environment is /sbin/nologin. So it is not affected by ~/.bash_profile, also /etc/profile

And then I need to add "umask" on "ssh" step of flowchart:
User login -> ssh -> pam.d/ssh -> /etc/profile (~/.bash_profile)