===================== Umask and Permissions ===================== -IAN! idallen@idallen.ca Every process on Unix (including every shell process) has its own "umask" that influences the chmod command and the permission of newly-created files and directories. The umask is set for you at login and is inherited by child processes. Every shell script should set umask at the beginning, so that files and directories created by the script (and by child processes of the script) have known permissions. The default Unix permission set for newly created directories is 777 (rwxrwxrwx) masked by the permission bits set in the umask of the process. (See below for an explanation of Unix numeric permissions "777".) The default permissions for newly created files is 666 (rw-rw-rw-) masked by the permission bits set in the umask of the process. Every bit set in the umask for the process "masks", or "takes away", that permission from the default permissions for newly created files and directories created by that process. The umask value is a *mask*; it turns *off* permissions. "Mask" does not mean "subtract", in the arithmetic sense - there is no borrow or carry involved. The two bits 10 masked by the two bits 01 result in the two bits 10. (The mask 01 turns off the rightmost bit; but, it was already off, so no change.) The two bits 10 masked by the two bits 11 result in the two bits 00. (The mask 11 turns off both bits.) The shell command "umask 022" sets to 022 (----w--w-) the permissions to be removed (masked) from the default permissions, for new files and directories created by the shell (and by commands run from that shell). It removes write permission for group and other from newly created directories and files. A new directory would have permissions 777 (rwxrwxrwx) masked by 022 (----w--w-) resulting in 755 (rwxr-xr-x) permissions. A new file would have permissions 666 (rw-rw-rw-) masked by 022 (----w--w-) resulting in 644 (rw-r--r--) permissions. The umask only applies to *newly created* files and directories. The traditional friendly Unix umask is 022, resulting in default file permissions of 644 and default directory permissions of 755. (Newly-created files and directories are readable by anyone; but, they are only writable by the owner.) A "secure" umask would be 077. (Newly-created files and directories are readable/writable/executable only by the single user that created them.) Umask does not affect the permission of already-existing files. To do that, you must use the "chmod" command. Look for "umask" in some of the following pages for more examples: http://www.ucolick.org/~ksa/manual/level2.html#umask http://www.cs.arizona.edu/computer.help/policy/DIGITAL_unix/AA-PS2HD-TET1_html/uc6.html#s_umask http://www.acm.uiuc.edu/workshops/security/umask.html http://www.cis.rit.edu/class/simg211/unixintro/Access_Permissions.html http://www.uvm.edu/~hag/wcreate/644.html --------------- umask and chmod --------------- Using the chmod command without specifying whether you want to change User, Group, or Other permissions (e.g. "chmod +x foo") causes chmod to use your umask to decide what sets of permissions to change. The umask setting causes chmod to ignore changes for the masked permissions. For example: umask 0011 ; chmod +x foo # only adds User x permissions umask 0111 ; chmod +x foo # does nothing (no permissions changed) umask 0400 ; chmod -r foo # only removes Group and Other r permissions umask 0444 ; chmod -r foo # does nothing (no permissions changed) umask 0727 ; chmod +rwx foo # adds only Group rx permissions The umask value tells chmod which permissions chmod is allowed to affect. The masked-out permissions are not affected. If you want chmod to ignore the current umask, specify exactly which permission sets to affect: umask 0077 ; chmod g+x foo # ignores umask; adds Group x permissions umask 0700 ; chmod u-r foo # ignores umask; removes User r permissions Always specify the User/Group/Other permission string when using chmod. --------------------------------------------- Note on "022"-style octal numeric permissions --------------------------------------------- Unix permissions for user, group, and other have traditionally been expressed using a set of three octal digits, where each digit represents the octal number you get by expressing the three "rwx" permissions in binary form. Convert the enabled permission bits in "rwx" into binary, then convert the binary number to an octal digit. Examples: octal 7 = binary 111 = rwx octal 6 = binary 110 = rw- octal 5 = binary 101 = r-x octal 4 = binary 100 = r-- octal 3 = binary 011 = -wx octal 2 = binary 010 = -w- octal 1 = binary 001 = --x octal 0 = binary 000 = --- Thus "chmod 741 file" means "set the mode to 741 (rwxr----x)". That is 7 (7=111=rwx) for owner, 4 (4=100=r--) for group, and 1 (1=001=--x) for others. In most modern Unix systems, you can do the same thing using symbolic permissions as "chmod u=rwx,g=r,o=x file". The shell command "umask 027" means "mask (remove) permissions 027 from newly created files and directories". 027="----w-rwx". (0=000=--- for owner, 2=010=-w- for group, 7=111=rwx for others). A new directory created under this umask (e.g. by mkdir) would have permissions 777 masked by 027 = 750 (rwxr-x---). A new file created under this umask (e.g. created by output redirection or by a file copy) would have file default permissions 666 masked by 027 = 640 (rw-r-----). The umask is a *mask*; it is *not* a number to be subtracted. It turns off permissions that would normally be granted.