Umask

From LQWiki
Jump to navigation Jump to search

The "umask" refers to both a bitmask called the "file mode creation mask" used to determine the default permissions set on newly created files and directories, as well as the umask command that can be used to set the file mode creation mask. In simple terms, any file or directory created in Linux and other Unix-like operating systems have default permissions assigned to them when they are created, and this is determined by the "umask".

How umask works

The umask is actually much like a filter that strips away permissions that should not be set on newly created files, rather than the permissions that should be set. The easiest way to understand this is to think of the octal notation of the normal UNIX permissions being read, write, and execute. So for example, running chmod 764 newfile would grant the file called "newfile" read, write and execute permissions for the owning user, read and write permissions for the owning group, and only read permission for "world". Therefore if you had a umask of "027" it would mean don't remove any permissions for the owning user, but remove write permission for the owning group and remove all permissions for "world". Therefore "newfile" would end up with read, write and execute permissions for the owning user, only read permission for the owning group, and no permissions for "world". In other words, the "umask" is the reverse of setting permissions with the chmod command. The following table lists the octal UNIX permission values in reverse, and what they would mean for umask.

Octal Permission(s)
0 read, write and execute
1 read and write
2 read and execute
3 read
4 write and execute
5 write
6 execute
7 no permissions

Examples

umask 002

This is a common umask value for a lot of Linux distributions. In the case of files, it would mean don't strip any of the default permissions away from the owning user and group, but remove "write" permission from everyone else (otherwise known as "world"). For directories it would also mean don't strip away any of the default permissions for the owning user or group, but remove "write" permission. In octal notation the permissions for newly created files would be 664, and for newly created directories it would be 775.

So the resulting permissions would look like the following in the case of a newly created file called "newfile":

-rw-rw-r-- 1 james james 0 Apr 15 23:26 newfile

For a newly created directory called "newdir" they would look like this:

drwxrwxr-x  2 james james 4096 Apr 15 23:27 .


umask 022

This would be similar to a umask of 002, except this would also remove "write" permission for the owning group as well as "world". Therefore the octal notation for the resulting permissions would be 644 for files, and 755 for directories.

umask 077

This would not strip away any permissions for the owning user, but would strip all permissions for both the owning group and "world". Therefore the resulting octal notation would be 600 for files, and 700 for directories.

Notes

  • Because Linux does not allow "execute" permission to be set on files, default permissions for files are 666 (read and write permissions) and 777 for directories/folders (read, write and traverse permissions).
  • Only the file permission bits are used in Linux, and therefore the SUID, SGID and sticky bits of the mask are ignored.

How to view the current umask

You can view the current umask by running the umask command;

umask

How to change the umask

There are at least a couple of ways to do this, but it depends on how your Linux distribution is configured, as well as the shell you're using. It also depends on what kind of shell you are using, as this affects which configuration files are parsed. In Linux there is a difference between a "login shell" and a "non-login shell", as well as system-wide configuration and per-user configuration. A "login shell" is basically the shell you get immediately after logging into the system, although you will not actually see this type of shell if your distribution loads display manager instead of a console login screen. A "non-login shell" is a shell invoked after the user has already logged in, for example, a terminal window displaying a command-line interface within the graphical environment. We'll assume your Linux distribution is using the bash shell as the default shell for the purposes of this section. There is a specific order in which configuration files are parsed (read), and the umask might be configured in more than one configuration file. This order is: .bashrc > /etc/profile.d/umask.sh > /etc/profile

An example of configuring umask in the system-wide /etc/profile configuration file would be:

umask 022

You can also use the umask command itself to change the umask as follows:

umask <new mask here>

See also