• Main Menu
  • UMASK


    umask is a Unix shell built-in command that automatically sets file permissions on newly created files.

    The umask command can be confusing to use because it does work as a mask. In other words, the user sets the permissions that he/she does not want in the umask.

    To calculate permissions that will result from specific umask values, subtract the umask from 777. Note, however, that files are not usually created with the execute permission by default, so the final permissions for files will omit the “x” permission.

    For example, if the user wants all files created with permissions of 666, he/she should set the umask to 000. Alternatively, for all files to be created with permissions of 000, the user should set the umask to 777 or 666 (which works since files do not normally have the execute permission).

    A reasonable value for umask is 022, which will cause files to be created with permissions of 644 (rw-r–r–) and directories to be created with permissions of 755 (rwxr-xr-x).

    A more secure value for umask is 066, which will cause files to be created with permissions of 600 (rw——-) and directories to be created with permissions of 700 (rwx——).

    umask is normally defined in the .profile or .login user startup files. Simply add/change the following line to specify a custom value:

    umask <new mask>

    where new mask contains the new octal mask permissions. The umask can also be set systemwide by editing the systemwide profiles, i.e. /etc/profile and friends.

    More Technical Details

    Technically speaking, new file permissions are not simply the subtraction of values from the umask. Rather, permissions for a new file are determined by ANDing the complement of the umask with the permissions for a file that the creating program uses by default. For example, the vi editor creates files with default permissions (perm) of 644, so for umask = 022,

    perm AND NOT umask

    will be 644 AND 755, which is 644.

    However, if a program creates a file using the following system call:

    open(“f”, O_WRONLY | O_CREAT, 0777),

    the permissions will be

    777 AND NOT 022,

    which is 777 AND 755, which in turn equals 755.

    Specifying a Value Using the -S Option

    Users do not need to specify a mask when they use this option. The following command will display the existing default value for new files:

    umask –S

    u=rwx,g=rx,o=rx

    To set full access for the owning user and group and deny all permissions for others, use the following straightforward command:

    umask –S u=rwx,g=rwx,o=

    As before, these permissions are simply the maximum allowed permissions on new files. Since applications like vi do not usually make text files executable, the “x” permission will be omitted.

    Specifying umask Values Programmatically

    If the function for manipulating umask expects an integer, specify the “0” prefix to indicate that the octal number system is being used. However, the “0” prefix is not required if the function expects an octal string. The umask shell command itself is one such example.

    Got Something To Say:

    Your email address will not be published. Required fields are marked *

    3 comments
    1. Alfred Tsang

      15 February, 2011 at 2:12 am

      If a directory called green has a umask of 326, can the user list the contents of `green`?

      Reply
      • Will.Spencer

        15 February, 2011 at 1:57 pm

        Directories don’t have umasks, user accounts have umasks.

        If a user has a umask of 326 and she creates a directory, it will have permissions of 451. Here is a demonstration:

        $ umask 326
        $ mkdir green
        $ ls -al | grep green
        dr–r-x–x 2 will will 4096 2011-02-15 14:53 green

        Those permissions don’t make any sense. The owner of the directory isn’t able to list the contents of the directory — but other user accounts are.

        Reply
        • Alfred Tsang

          17 February, 2011 at 2:34 am

          With read, you can still list the files and directories inside green.  Read gives the user ability to list the contents of the directory.  With a umask of 326, the user isn’t able to write to the directory green.

          Reply
    Unix
    184 queries in 0.847 seconds.