This article needs additional citations for verification. (March 2017) (Learn how and when to remove this template message)
|Operating system||Unix and Unix-like|
In computing, umask is a command that determines the settings of a mask that controls how file permissions are set for newly created files. It may also affects how the file permissions are changed explicitly. umask may also refer to a function that sets the mask, or it may refer to the mask itself, which is formally known as the file mode creation mask. The mask is a grouping of bits, each of which restricts how its corresponding permission is set for newly created files. The bits in the mask may be changed by invoking the umask command.
In Unix-like systems, each file has a set of attributes that control who can read, write or execute it. When a program creates a file the file permissions are restricted by the mask. If the mask has a bit set to "1", that the corresponding initial file permission will be disabled. A bit set to "0" in the mask means that the corresponding permission will be determined by the program and the file system. In other words, the mask acts as a last-stage filter that strips away permissions as a file is created; each bit that is set to a "1" strips away its corresponding permission. Permissions may be changed later by users and programs using chmod.
Each program (technically called a process) has its own mask and is able to change its settings using a function call. When the process is a shell, the mask is set with the umask command. When a shell or process launches a new process, the child process inherits the mask from its parent process. Generally, the mask only affects file permissions during the creation of new files and has no effect when file permissions are changed in existing files, however, the chmod command will check the mask when the chmod options are specified using symbolic mode and a reference to a class of users is not specified.
The mask is stored as a group of bits. It may be represented as binary, octal or symbolic notation. The umask command allows the mask to be set as octal (e.g. 0754) or symbolic (e.g. u=,g=w,o=wx) notation.
- 1 History
- 2 Shell command
- 3 Mask effect
- 4 Processes
- 5 Mount option
- 6 See also
- 7 References
The mask, the umask command and the umask function were not part of the original implementation of UNIX. The operating system evolved in a relatively small computer-center environment, where security was not an issue. It eventually grew to serve hundreds of users from different organizations. At first, developers made creation modes for key files more restrictive, especially for cases of actual security breaches, but this was not a general solution. The mask and the umask command were introduced around 1978, in the seventh edition of the operating system, so it could allow sites, groups and individuals to choose their own defaults. The mask has since been implemented in most, if not all, of the contemporary implementations of Unix-like operating systems.
In a shell, the mask is set by using the umask command. The syntax of the command is:
umask [-S ] [maskExpression]
(The items within the brackets are optional.)
Displaying the current mask
If the umask command is invoked without any arguments, it will display the current mask. The output will be in either octal or symbolic notation, depending on the OS. In most shells, but not csh, the -S argument (i.e. umask -S) will force umask to display using symbolic notation. For example:
$ umask # display current value (as octal) 0022 $ umask -S # display current value symbolically u=rwx,g=rx,o=rx
Setting the mask using octal notation
If the umask command is invoked with an octal argument, it will directly set the bits of the mask to that argument:
$ umask 007 # set the mask to 007 $ umask # display the mask (in octal) 0007 # 0 - special permissions (setuid | setgid | sticky ) # 0 - (u)ser/owner part of mask # 0 - (g)roup part of mask # 7 - (o)thers/not-in-group part of mask $ umask -S # display the mask symbolically u=rwx,g=rwx,o=
If fewer than 4 digits are entered, leading zeros are assumed. An error will result if the argument is not a valid octal number or if it has more than 4 digits. The three rightmost octal digits address the "owner", "group" and "other" user classes respectively. If a fourth digit is present, the leftmost (high-order) digit addresses three additional attributes, the setuid bit, the setgid bit and the sticky bit.
|Octal digit in
|Permissions the mask will|
prohibit from being set during file creation
|0||any permission may be set (read, write, execute)|
|1||setting of execute permission is prohibited (read and write)|
|2||setting of write permission is prohibited (read and execute)|
|3||setting of write and execute permission is prohibited (read only)|
|4||setting of read permission is prohibited (write and execute)|
|5||setting of read and execute permission is prohibited (write only)|
|6||setting of read and write permission is prohibited (execute only)|
|7||all permissions are prohibited from being set (no permissions)|
Setting the mask using symbolic notation
When umask is invoked using symbolic notation, it will modify or set the flags as specified by the maskExpression with the syntax
- [user-class-letters] operator permission-symbols
Note that this syntax does not work when using csh due to the different behaviour of its built-in umask command.
Multiple maskExpressions are separated by commas.
A space terminates the maskExpression (s).
- The permissions are applied to different user classes:
|g||group||users who are members of the file's group|
|o||others||users who are not the owner of the file or members of the group|
|a||all||all three of the above, the same as ugo. (The default if no user-class-letters are specified in the maskExpression.)|
- The operator specifies how the permission modes of the mask should be adjusted.
|Operator||Effect on the mask|
|+||permissions specified are enabled, permissions that are not specified are unchanged.|
|-||permissions specified are prohibited from being enabled, permissions that are not specified are unchanged.|
|=||permissions specified are enabled, permissions that are not specified are prohibited from being enabled.|
- The permission-symbols indicate which file permission settings are to be allowed or prohibited by the mask.
|r||read||read a file or list a directory's contents|
|w||write||write to a file or directory|
|x||execute||execute a file or recurse a directory tree|
|X||special execute||See Symbolic modes.|
|s||setuid/gid||See File permissions.|
|t||sticky||See File permissions.|
Prohibit write permission from being set for the user. The rest of the flags in the mask are unchanged.
Example of multiple changes:
This would set the mask so that it would:
- prohibit the write permission from being set for the user, while leaving the rest of the flags unchanged;
- allow the read permission to be enabled for the group, while prohibiting write and execute permission for the group;
- allow the read permission to be enabled for others, while leaving the rest of the other flags unchanged.
Command line examples
Here are more examples of using the umask command to change the mask.
|umask command issued||How the mask will affect permissions of subsequently created files/directories|
|umask a+r||allows read permission to be enabled for all user classes; the rest of the mask bits are unchanged|
|umask a-x||prohibits enabling execute permission for all user classes; the rest of the mask bits are unchanged|
|umask a+rw||allows read or write permission to be enabled for all user classes; the rest of the mask bits are unchanged|
|umask +rwx||allows read, write or execute permission to be enabled for all user classes; (Note: On some UNIX platforms, this will restore the mask to a default.)|
|umask u=rw,go=||allow read and write permission to be enabled for the owner, while prohibiting execute permission from being enabled for the owner; prohibit enabling any permissions for the group and others|
|umask u+w,go-w||allow write permission to be enabled for the owner; prohibit write permission from being enabled for the group and others;|
|umask -S||display the current umask in symbolic notation|
|umask 777||disallow read, write, and execute permission for all (probably not useful because even owner cannot read files created with this mask!)|
|umask 000||allow read, write, and execute permission for all (potential security risk)|
|umask 077||allow read, write, and execute permission for the file's owner, but prohibit read, write, and execute permission for everyone else|
|umask 113||allow read or write permission to be enabled for the owner and the group, but not execute permission; allow read permission to be enabled for others, but not write or execute permission|
|umask 0755||equivalent to u-rwx (4+2+1),go=w (4+1 & 4+1). (The 0 specifies that clarify] may be enabled if allowed by the OS.)[|
Example showing effect of umask:
$ umask -S # Show the (frequently initial) setting u=rwx,g=rx,o=rx $ gcc hello.c # compile and create executable file a.out $ ls -l a.out -rwxr-xr-x 1 me developer 6010 Jul 10 17:10 a.out $ # the umask prohibited Write permission for Group and Others $ ls > listOfMyFiles # output file created by redirection does not attempt to set eXecute $ ls -l listOfMyFiles -rw-r--r-- 1 me developer 6010 Jul 10 17:14 listOfMyFiles $ # the umask prohibited Write permission for Group and Others $ ############################################################ $ umask u-w # remove user write permission from umask $ umask -S u=rx,g=rx,o=rx $ ls > protectedListOfFiles $ ls -l protectedListOfFiles -r--r--r-- 1 me developer 6010 Jul 10 17:15 protectedListOfFiles $ rm listOfMyFiles override r--r--r-- me/developer for protectedListOfFiles? $ # warning that protectedListOfFiles is not writable, answering Y will remove the file $ ##################################################################################### $ umask g-r,o-r # removed group read and other read from mask $ umask -S u=rx,g=x,o=x $ ls > secretListOfFiles $ ls -l secretListOfFiles -r-------- 1 me developer 6010 Jul 10 17:16 secretListOfFiles
The mask is applied whenever a file is created. If the mask has a bit set to "1", that means the corresponding file permission will always be disabled when files are subsequently created. A bit set to "0" in the mask means that the corresponding permission will be determined by the requesting process and the OS when files are subsequently created. In other words, the mask acts as a last-stage filter that strips away permissions as a file is created; each bit that is set to a "1" strips away that corresponding permission for the file.
Here is the truth table for the masking logic. Each bit in the requesting process' file permission mode is operated on by the mask using this logic to yield the permission mode that is applied to the file as it is created. (p is a bit in the requested file permission mode of a process that is creating a file; q is a bit in the mask; r is the resulting bit in the created file's permission mode)
How the mask is applied
|Octal digit in
| Binary in
with "rwx" request
Programmatically, the mask is applied by the OS by first negating (complementing) the mask, and then performing a logical AND with the requested file mode. In the [probably] first UNIX manual to describe its function, the manual says,
the actual mode... of the newly-created file is the logical and of the given mode and the complement of the argument. Only the low-order 9 bits of the mask (the protection bits) participate. In other words, the mask shows [indicates] the bits to be turned off when files are created.— UNIX Eighth Edition Manual, Bell Labs UNIX (manual), AT&T Laboratories
In boolean logic the application of the mask can be represented as
Note: Many operating systems do not allow a file to be created with execute permissions. In these environments, newly created files will always have execute permission disabled for all users.
The mask is generally only applied to functions that create a new file, however, there are exceptions. For example, when using UNIX and GNU versions of chmod to set the permissions of a file, and symbolic notation is used, and no user is specified, then the mask is applied to the requested permissions before they are applied to the file. For example:
$ umask 0000 $ chmod +rwx filename $ ls -l filename -rwxrwxrwx filename $ umask 0022 $ chmod +rwx filename $ ls -l filename -rwxr-xr-x filename
Each process has its own mask, which is applied whenever the process creates a new file. When a shell, or any other process, spawns a new process, the child process inherits the mask from its parent process. When the process is a shell, the mask is changed by the umask command. As with other processes, any process launched from the shell inherits that shell's mask.
In the Linux kernel, the fat, hfs, hpfs, ntfs, and udf file system drivers support a umask mount option, which controls how the disk information is mapped to permissions. This is not the same as the per-process umask described above, although the permissions are calculated in a similar way. Some of these file system drivers also support separate umasks for files and directories, using mount options such as fmask.
- "UNIX 7th Edition Manual, Bell Labs UNIX". Manual. AT&T Laboratories. Retrieved 2019-05-14.
- Olczak, Anatole (2019-06-09). "Korn Shell: Unix and Linux Programming Manual". Oreilly. Addison-Wesley Professional. Retrieved 2013-01-14.
- "umask", The Single UNIX Specification, Version 2 (manual), The Open Group, 1997, retrieved 2013-01-14
- Note: Some programming languages require a prefix symbol in front of octal notation such as the digit 0, or the letters o or q. The umask command does not use this type of prefix notation – only the octal digits are used.
- Note: Operating systems usually will also strip off execute permissions on newly created files.
- "UNIX 8th Edition Manual, Bell Labs UNIX". Manual. AT&T Laboratories. Retrieved 2013-01-14.
- "umask(2)", Linux Programmer's Manual release 3.32 (manual), Linux man-pages project, 9 January 2008, retrieved 2013-01-01