Setting Default Permissions with the User Mask (umask)

Every time you create a file or a directory, default permissions are established for it. These default permissions are initially established either by the

operating system or the program you are running (both will be considered to be the creating program in theumaskdescription that follows). Setting default permissions relieves you from the task of specifying permission codes explicitly every time you create a file or directory. The operating system assigns the default permission values of 777 for executable files and 666 for all other files.

If you want to further restrict whatever permissions are established by a program when it creates a file or directory, you must specify a user mask with theumask command.

The user mask is a numeric value that determines the access permissions when a file or directory is created. As a result, when you create a file or directory, its permissions are set to what the creating program specifies, minus what the umask value forbids.

Theumask command has the following format:

umaskoctalnumber

Theoctalnumberentry is a 3-digit octal number that specifies the permissions to be subtracted from the default permissions (777 or 666). Setting the user mask is very similar to setting the permission bits discussed in Section 5.4.2. The permission code for a file or directory is specified with a 3-digit octal number. Each digit represents a type of permission. The position of each digit (first, second, or third) represents 3 bits that correspond to the following:

• The first digit is for theownerof the file (you). • The second digit is for thegroupof the file. • The third digit is forothers.

When you set theumask, you are actually specifying which permissions are not to be granted regardless of the permissions requested by the file creating program.

Table 5-4 lists the eight possibleumaskpermission combinations for easy reference. Note that theumask permission values are the inverse of those specified for regular permission codes. Also note that these permission values are applied to those set by the creating program.

Table 5-4: The umask Permission Combinations

222222222222222222222222222222222222222222222222222 Allowed

Octal Number Permissions Description

222222222222222222222222222222222222222222222222222 0 rwx Read/write/execute 1 rw- Read/write 2 r-x Read/execute 3 r-- Read 4 -wx Write/execute 5 -w- Write 6 --x Execute

7 none No permissions granted 222222222222222222222222222222222222222222222222222

For example, if you specify a user mask of 027 (and the file is executable): • Theowner is allowed all permissions requested by the program creating

the file.

• Thegroup is not allowed write permission.

• Theothers are not allowed any permissions.

A good user mask value to set for your own files and directories depends upon how freely information resources are shared on your system. The following guidelines may be useful:

• In a very open computing environment, you might specify 000 as a user mask value, which allows no restrictions on file/directory access. As a result, when a program creates a file and specifies permission codes for it, the user mask imposes no restrictions on what the creating program has specified.

• In a more secure computing environment, you might specify 066 as a user mask value, which allows you total access, but prevents all others from being able to read or write to your files. As a result, when a file is created, its permissions are set to what the creating program specifies, minus the user mask restrictions that prevent read/write access for everyone but you.

• In a very secure computing environment, you might specify 077 as a user mask value, which means that only you have access to your files. As a result, when a file is created, its permissions are set to what the creating program specifies, minus the user mask restrictions that prevent anyone else from reading, writing, or executing your files.

To show you howumaskworks, assume that you have entered the following command:

$ umask 037

This command establishes a permission code of 740 (if the file is executable) and produces the following results:

• You (the owner) are allowed all permissions.

• Members of your group are not allowed write and execute permissions. • All others are not allowed any permissions.

Further, assume that you have just created a file. By default, your editor always assigns the following default permissions: owners are allowed all permissions, and all others only read and execute permissions. However, since you have previously set a user mask of 037, it further restricts the file permissions. As a result, the owner still has all permissions, but the group cannot execute the file, and all others have no permissions.

5.5.1

Setting the umask

You may activate theumaskcommand in two ways:

• Include theumaskcommand in your login script. This is the most common and efficient way to specify your user mask because the specified value is set automatically for you whenever you log in. For a discussion of login scripts, see Chapter 7. For examples ofumask commands in login scripts, see Chapter 8.

• Enter theumask command at the shell prompt during a login session. The user mask value you set is in effect for that login session only. For a more detailed example of how the user mask works in restricting permissions for files you create with a text editor, follow the steps in this procedure:

1. Enter the following command to find out what the current value of your user mask is:

$ umask

If the user mask value is 000, there are no restrictions on the permissions established by file-creating programs. Go to step 3.

If the user mask value is set, write it down. Go to step 2.

2. Set the user mask value to 000 so that that there will be no restrictions on the permissions established by file-creating programs. Before resetting the user mask, make sure you have written down the current value in case you need to reset it.

Enter the following command:

$ umask 000

3. Create a file, save it, and then exit your editor.

4. Display the permissions of the file by using thels –lcommand. We will assume for the sake of the example that read/write permissions are granted for all users:

$ ls -l

-rw-rw-rw- 1 user-name 15 Oct 27 14:42 yourfile $

5. Reset the user mask to022by entering the following command:

$ umask 022

A user mask of 022 establishes the following permission restrictions: owners are allowed all permissions and all others are allowed only read and execute permissions.

6. Create another file, save it, and then exit your editor.

7. Display the permissions of the file by entering thels –lcommand:

$ ls –l

-rw-r--r-- 1 user-name 15 Oct 27 14:45 yourfile2 $

Notice that the write permissions for the group and all others have been removed in accordance with the user mask value of 022.

8. Reset the user mask to its original value or to another value (if you choose).

Note

A user with superuser privileges can override whatever access restrictions you impose on files and directories. For more information on this topic, see Section 5.7.

On occasion, the results you obtain when specifying a user mask may vary from what you intended. If so, see your system administrator.

The operating system provides a default user mask value of 022, which allows the owner all permissions, but prevents members of your group or any other users from writing to your files. However, your system’s user mask default may vary.