The solution is to use a pam module named pam_umask. It is contained in the package libpam-modules which should be installed by default. After switching on the module the only thing that needs to be done is to add a umask setting to the Bacula users GECOS field.
For the copy paste fraction:
apt-get install libpam-modules echo "session optional pam_umask.so" >> /etc/pam.d/common-session usermod -c umask=027 bacula /etc/init.d/bacula-sd restartpam_umask can also be used this way to modify the umask of any specific daemon user without a shell.