Fall 2016 - September to December 2016 - Updated 2018-10-22 19:48 EDT
umask
blocks default permissionsIndexWhen a process creates a new file system object, such as a file or directory, the permissions of that new object are determined by the default permissions for the object, masked by the permissions set in a process umask
.
The process umask
controls what permissions are not given to newly created file system objects such as files and directories. It does not affect the permissions of existing objects, only of objects newly created by that process.
The umask
also influences the chmod
command as well as the permission of newly-created files and directories.
777
, file 666
IndexWhen a process creates a new file system object, such as a file or directory, the object is assigned a set of default permissions that is masked by the umask
.
The default Unix permission set for newly created directories is 777
(rwxrwxrwx
) masked (blocked) by the permission bits set in the umask
of the process. (See below for an explanation of Unix numeric permissions 777
.)
The default permissions for newly created files is 666
(rw-rw-rw-
) masked by the permission bits set in the umask
of the process.
The umask
controls what permissions are not given to newly created file system object. Without the umask
, all new directories would be created with full 777
permissions, and all new files would be created with full 666
permissions. The umask
blocks certain permissions from being given to newly created file system objects.
Every bit set in the umask
for the process “masks”, or “takes away”, that permission from the default permissions for newly created file system objects created by that process. The umask
value is a mask; it turns off permissions so that they are not assigned to newly created objects.
“Mask” does not mean “subtract”, in the arithmetic sense – there is no borrow or carry involved. The two binary bits 10
masked by the two bits 01
result in the two bits 10
. (The mask 01
turns off the rightmost bit; but, it was already off, so no change.) The two bits 10
masked by the two bits 11
result in the two bits 00
. (The mask 11
turns off both bits.)
The umask
is a mask; it is not a number to be subtracted. It turns off permissions that would normally be granted. Masking is not the same as subtracting, e.g. 666
masked with 001
is still 666
and 666
masked with 003
is 664
. The mask turns off permission bits so that they are not assigned to newly created objects. If they are already off, the umask
makes no change:
rw- (6) masked with --x (1) is rw- (6)
- because the x bit in the mask does not change any permissions
rw- (6) masked with -wx (3) is r-- (4)
- because only the w bit is changed (turned off) by the mask
umask
command affects default permissionsIndexMany modern Linux shells also accept symbolic
umask
permissions, in addition to the traditional octal numbers. See the manual page for your shell for details. In this course, we use the traditional octal numbers that work everywhere.
The shell command umask 022
sets to 022
(----w--w-
) the permissions to be removed (masked) from the default permissions, for new files and directories created by the shell (and by commands run from that shell). It prevents write permission being assigned to group and other on newly created directories and files. A new directory would have permissions 777
(rwxrwxrwx
) masked by 022
(----w--w-
) resulting in 755
(rwxr-xr-x
) permissions. A new file would have permissions 666
(rw-rw-rw-
) masked by 022
(----w--w-
) resulting in 644
(rw-r--r--
) permissions.
The umask
only applies to the permissions given to newly created files and directories.
The traditional friendly Unix umask
is 022
, resulting in default file permissions of 644
and default directory permissions of 755
. (Newly-created files and directories are readable by anyone; but, they are only writable by the owner.) A “secure” umask
would be 077
. (Mask out all group and other permissions; newly-created files and directories are readable/writable/executable only by the single user that created them.)
The umask
command cannot affect the permission of already-existing files. To do that, you must use the chmod
command:
$ chmod 711 program
$ chmod go-rwx secrets
Note that the umask
and the permissions assigned by chmod
are opposites. The chmod
command sets permissions to be given to an object; the umask
sets permissions not to be given to new objects.
Look for umask
in some of the following pages for more examples:
umask
is set and then passed to child processesIndexEvery process on Unix (including every shell process) has its own umask
value, which can be changed. The system standard umask
is set for you at login and is inherited by child processes.
Different Linux distributions set different standard (at login) umask
values. The values in your particular distribution of Linux may not be the same as other distributions. The values set by the system administrator may differ from the distribution defaults. Do not rely on the umask
having any standard value.
Every shell script should set umask
at the beginning, so that files and directories created by the script (and by child processes of the script) have known permissions.
umask
affects chmod
IndexUsing the chmod
command without specifying whether you want to change User, Group, or Other permissions (e.g. chmod +x foo
) causes chmod
to use your umask
to decide what sets of permissions to change. The umask
setting causes chmod
to ignore changes for the masked permissions. For example:
umask 0011 ; chmod +x foo # only adds User x permissions
umask 0111 ; chmod +x foo # does nothing (no permissions changed)
umask 0400 ; chmod -r foo # only removes Group and Other r permissions
umask 0444 ; chmod -r foo # does nothing (no permissions changed)
umask 0727 ; chmod +rwx foo # adds only Group rx permissions
The umask
value tells chmod
which permissions chmod
is allowed to affect. The masked-out permissions are not affected. If you want chmod
to ignore the current umask
, specify exactly which permission sets to affect:
umask 0077 ; chmod g+x foo # ignores umask; adds Group x permissions
umask 0700 ; chmod u-r foo # ignores umask; removes User r permissions
Always specify the precise User/Group/Other permission string when using chmod
, since you don’t know what the current umask
might be.
022
-style octal permissionsIndexUnix permissions for user, group, and other have traditionally been expressed using a set of three (octal) digits, where each digit represents the octal number you get by expressing the three rwx
permissions in binary form. Convert the enabled permission bits in rwx
into binary, using 1
for enabled and 0
for not enabled, then convert the binary number to an octal digit. Three sets of three permissions becomes three (octal) digits, e.g. rwxr-x-wx
becomes 111|101|011
which is753
.
Permissions (mode) can be represented in two ways: symbolic (three letters) or numeric (one octal digit). The single octal digit represents the three symbolic letters using a numeric weighting scheme shown below. The permission is treated as a binary number, with zeroes taking the place of the dashes (not enabled) and ones taking the place of the allowed permissions.
Numeric weighting for each of the three rwx
permissions (three binary digits to one octal digit):
x (execute) --x becomes 001 binary and has binary weight 2^0 = 1
w (write) -w- becomes 010 binary and has binary weight 2^1 = 2
r (read) r-- becomes 100 binary and has binary weight 2^2 = 4
Each of the three sets of symbolic permissions (user/owner, group, other) can be summarized by a single octal digit by adding up the three numeric rwx
values using the three weights (4,2,1) given above:
rwx ==> 111 binary ==> digit 7 because r is 4, w is 2, and x is 1 so 4+2+1=7
r-x ==> 101 binary ==> digit 5 because r is 4 and x is 1 so 4+0+1=5
-wx ==> 011 binary ==> digit 3 because w is 2 and x is 1 so 0+2+1=3
--- ==> 000 binary ==> digit 0 because no permissions are set so 0+0+0=0
7 = binary 111 = rwx
6 = binary 110 = rw-
5 = binary 101 = r-x
4 = binary 100 = r--
3 = binary 011 = -wx
2 = binary 010 = -w-
1 = binary 001 = --x
0 = binary 000 = ---
The full set of nine permission characters can then be grouped and summarized as three octal digits:
rwxr-x-wx is rwx|r-x|-wx is 111|101|011 ==> the three digits 753
---r----x is ---|r--|--x is 000|100|001 ==> the three digits 041
--------- is ---|---|--- is 000|000|000 ==> the three digits 000
rwxrwxrwx is rwx|rwx|rwx is 111|111|111 ==> the three digits 777
Make sure you always write exactly nine characters when writing symbolic permissions. Exactly nine. Do not include the leading “inode type” character when listing the nine characters of symbolic permissions.
Thus chmod 741 file
means “set the mode to 741
(rwxr----x
)”. That is 7
(7=111="rwx"
) for owner, 4
(4=100="r--"
) for group, and 1
(1=001="--x"
) for others. In most modern Unix systems, you can do the same thing using symbolic permissions as chmod u=rwx,g=r,o=x file
.
The shell command umask 027
means “mask (remove) permissions 027
from newly created files and directories”:
027 = "----w-rwx"
which can be split into three parts: 0=000="---"
for owner, 2=010="-w-"
for group, and 7=111="rwx"
for others.umask 027
(e.g. by mkdir
) would have directory default permissions 777
masked by 027
= 750
(rwxr-x---
).umask 027
(e.g. created by output redirection or by a file copy) would have file default permissions 666
masked by 027
= 640
(rw-r-----
).