umask

umask (user mask) is a command and a function in POSIX environments that sets the file mode creation mask of the current process which limits the permission modes for files and directories created by the process. A process may change the file mode creation mask with umask and the new value is inherited by child processes. When a shell (as with an output redirect) or other program creates a file or directory, it may specify permissions to be granted, however, permissions that the file mode creation mask does not allow are removed.

Effect of the file mode creation mask

The file mode creation mask allows permissions. Permissions not specified by the creating process are not added. When programs create files, read, write and execute permissions may be specified for the owner, the group and other users. If a program does not include executable permission the file will not have execute permission even if the file mode creation mask would have allowed that.

When programs create directories, they usually specify read, write, and execute permissions for other users (rwxrwxrwx or octal 777).^[1]^[2] Directories created in this way will be searchable (and writable) unless the umask disallows those permissions.

Shell command

The umask shell command changes the umask of the shell process, and all processes subsequently started from the shell then inherit the new umask. System administrators may set a default umask for everyone in an initialization script; individual users can override that choice in their own login scripts.

Unix systems allow umasks to be specified in two ways:

Symbolically. Example: u=rwx,g=rwx,o=
An octal number Example: 022.

Symbolic umasks

A umask set to u=rwx,g=rwx,o= will result in new files having the modes -rw-rw----, and new directories having the modes drwxrwx---, if the creating programs specify the typical modes.

Symbolic umask example

In bash:

  $ umask u=rwx,g=rwx,o=
  $ umask
   0007
  $ mkdir groupieDir
  $ touch grpFile
  $ ls -l
  drwxrwx--- 2 dave develop 512 Sep 11 08:59 groupieDir
  -rw-rw---- 1 dave develop   0 Sep 11 08:59 grpFile

In the second umask command above, the permissions umask are the 3 rightmost octal digits (007). The initial 0 relates to special permission modes (SUID, GUID and sticky bit) which are beyond the scope of this article.^[3]

Octal umasks

Resultant permissions are calculated via the bitwise AND of the unary complement of the argument (using bitwise NOT) and the permissions specified by the program. Bash uses 666 for files, and 777 for directories. Both the permission to execute and read a directory are needed to be able to list the subordinate files or directories and their permissions.

The octal notation for the permissions masked out are:

   0 – none          (i.e. all permissions specified are preserved)
   1 – execute only
   2 – write only
   3 – write and execute
   4 – read only
   5 – read and execute
   6 – read and write
   7 – read, write and execute (i.e. no permissions are preserved)

A common umask value is 022 masking out the write permission for the group and others, which ensures that new files are only writable for the owner (i.e. the user who created them). In bash:

  $ umask 0022
  $ mkdir AnyoneCanListMyDir
  $ touch AnyoneCanReadMyFile.log
  $ ls -l
  drwxr-xr-x 2 dave develop 512 Aug 18 20:59 AnyoneCanListMyDir
  -rw-r--r-- 1 dave develop   0 Aug 18 20:59 AnyoneCanReadMyFile.log

The initial 0 relates to special permission modes (SUID, GUID and sticky bit) which are beyond the scope of this article;^[3]

a) 0 doesn't prevent any user bits being set

b) 2 prevents the write group bit being set, and second

c) 2 prevents the write bit being set for others.

Another common value is 002, which leaves the write permission for the file's group enabled. This can be used for files in shared workspaces, where several users work with the same files.

Calculating resultant permissions example

With the umask value of 027 (intended to prohibit non-group members from accessing files and directories)

new files will be created with the permissions:

				symbolically
				user	group	other
umask:		027	;	`---`	`-w-`	`rwx`

initial file permission:		666	;	`rw-`	`rw-`	`rw-`
complement of umask:	NOT(027) =	750	;	`rwx`	`r-x`	`---`

resultant file permission:	750 AND 666 =	640	;	`rw-`	`r--`	`---`

New directories
initial directory permission:		777	;	`rwx`	`rwx`	`rwx`

complement of umask:	NOT(027) =	750	;	`rwx`	`r-x`	`---`
resultant directory permission:	750 AND 777 =	750	;	`rwx`	`r-x`	`---`

Early UNIX systems were often used by relatively small groups of close colleagues who found it convenient to have most files read/write by everyone. PWB/UNIX evolved in a computer center environment to serve hundreds of users from different organizations. Its developers had combed through the commands to make key file creation modes more restrictive, especially for cases exposing security holes, but this was not a general solution. The addition of umask (in around 1978) allowed sites, groups, and individuals to chose their own defaults. Small close groups might choose 000, computer centers 022, security-conscious groups 077 or 066 for access to sub-directories under private directories.

Mount option

In the Linux kernel, the fat, hfs, hpfs, ntfs, and udf file system drivers support a umask mount option, which controls how the disk information is mapped to permissions. This is not the same as the per-process umask described above, although the permissions are calculated in a similar way. Some of these file system drivers also support separate umasks for files and directories, using mount options such as fmask.

References

^ "Perl functions: mkdir". Perl 5 version 10.0 documentation. Retrieved August 3, 2009. If omitted, MASK defaults to 0777.
^ "mkdir(1)". HP-UX Reference Volume 1 of 5. Hewlett-Packard Development Company, L.P. Retrieved August 3, 2009. mkdir creates specified directories in mode 0777 (possibly altered by umask unless specified otherwise by a -m mode option (see umask(1).
^ ^a ^b Special Permission Modes in Linux and UNIX

External links

Manpage of umask(2) from OpenBSD
Explains umask and howto setup the default umask Under Linux / UNIX operating systems?

[perlfunc_mkdir-1] "Perl functions: mkdir". Perl 5 version 10.0 documentation. Retrieved August 3, 2009. If omitted, MASK defaults to 0777.

[HP-UX_mkdir(1)-2] "mkdir(1)". HP-UX Reference Volume 1 of 5. Hewlett-Packard Development Company, L.P. Retrieved August 3, 2009. mkdir creates specified directories in mode 0777 (possibly altered by umask unless specified otherwise by a -m mode option (see umask(1).

[lifeaftercoffee.com-3] Special Permission Modes in Linux and UNIX

[1]

[2]

[3]

v t e Unix command-line interface programs and shell builtins
File system	cat chattr chmod chown chgrp cksum cmp cp dd du df file fuser ln ls mkdir mv pax pwd rm rmdir split tee touch type umask
Processes	at bg crontab fg kill nice ps time
User environment	env exit logname mesg talk tput uname who write
Text processing	awk basename comm csplit cut diff dirname ed ex fold head iconv join m4 more nl paste patch printf read sed sort strings tail tr troff uniq vi wc xargs
Shell builtins	alias cd echo test unset wait
Searching	find grep
Documentation	man
Software development	ar ctags lex make nm strip yacc
Miscellaneous	bc cal expr lp od sleep true and false
Categories Standard Unix programs Unix SUS2008 utilities List