This articleneeds additional citations forverification. Please helpimprove this article byadding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Umask" – news ·newspapers ·books ·scholar ·JSTOR(March 2017) (Learn how and when to remove this message) |
| umask | |
|---|---|
| Original author | AT&T Bell Laboratories |
| Developers | Variousopen-source andcommercial developers |
| Initial release | 1978; 48 years ago (1978) |
| Operating system | Unix andUnix-like |
| Platform | Cross-platform |
| Type | Command |
umask is ashellcommand that reports or sets themask value that limits thefile permissions for newly created files in manyUnix andUnix-likefile systems. Asystem call with the same name,umask(), provides access to the mask value stored in theoperating system (OS), and the command provides shell user access to the system call. Additionally, the mask value, formallyfile mode creation mask, is often referred to as theumask.
When a new file is created, its access permissions are restricted by the stored umask mask value. The file's permissionbits that each grant access are cleared by corresponding bits of the mask that are set. Set bits of the mask disallow the permission and clear bits of the mask allow the permission. The otherwise default value of a file's permissions is defined elsewhere. The mask just prevents corresponding bits of the default. The mask acts as a last-stage filter that strips away permissions as a file is created; each bit that is set strips away its corresponding permission. Permissions may be changed later including via thechmod command.
The operating system maintains a umask mask value for eachprocess that is accessible via theumask command andumask() system call. When a process spawns a new process, the child inherits the mask from its parent.[1]
Generally, the mask only affects file permissions during the creation of new files; however, thechmod command checks the mask when the mode options are specified using symbolic mode and a reference to a class of users is not specified.
Theumask command is used withUnix-like operating systems, and theumask() system call is defined in thePOSIX.1 specification.
Before the umask capability (command, system call and stored value) was introduced toUnix, developers used various mechanisms to restrict access in order to prevent security breach. The umask capability was introduced around 1978, in the seventh edition of the operating system,[2] to allow sites, groups and individuals to choose their own defaults. The capability has been implemented in most, if not all, contemporary Unix-like operating systems.
With no parameter, theumask command reports the stored mask either asoctal orsymbolic notation, depending on the implementation.[3][4] In some shells, the-S option selects symbolic notation. For example:
$umask0022$umask-Su=rwx,g=rx,o=rx
Invoked with an octal parameter, the command updates the stored mask to input value:
$umask007$umask0007$umask-Su=rwx,g=rwx,o=
As normal for a numeric representation, if fewer than 4 digits are entered, leading zeros are assumed. But the command fails if the input is more than 4 digits. This is notable since some languages (i.e. C) use a leading zero to denote octal format for a literal, butumask does support this notation.
The last three digits encode the user, group and others classes, respectively. If a fourth digit is present, the first digit addresses the three special attributes:setuid,setgid andsticky bit.
| Digit | Effect |
|---|---|
| 0 | any permission may be set (read, write, execute) |
| 1 | setting of execute permission is prohibited (read and write) |
| 2 | setting of write permission is prohibited (read and execute) |
| 3 | setting of write and execute permission is prohibited (read only) |
| 4 | setting of read permission is prohibited (write and execute) |
| 5 | setting of read and execute permission is prohibited (write only) |
| 6 | setting of read and write permission is prohibited (execute only) |
| 7 | all permissions are prohibited from being set (no permissions) |
Whenumask is invoked with a parameter in symbolic notation, it modifies the stored mask so that a newly created file is allowed to have the permissions added and disallowed to have the permissions removed. The logic is backwards from the mask value. Adding a permission clears the associated bit of the mask so that the permission is allowed when a file is created. Removing a permission sets the associated bit so that the permission is disallowed when a file is created.
Changes to the mask in symbolic notation are expressed as[classes]+|-|=operations; with multiple expressions separated by comma and the last terminated by a space.
This syntax does not work inC shell due to the different behavior of itsumask command.
Class is specified asu for user,g for group,o for others or a combination of these letters to select multiple. If not specified ora, then all classes are selected, same asugo.
The operator specifies how the mask is modified.+ allows the specified permissions without changing unspecified permissions.- disallows permissions without changing unspecified permissions.= allows the specified permissions and disallows the unspecified permissions of the class.
The following table describes the operations (and flags) than can be allowed or prohibited.
| Symbol | Description |
|---|---|
r | read a file or list a directory's contents |
w | write to a file or directory |
x | execute a file or recurse a directory tree |
X | special execute; seeSymbolic modes |
s | setuid/gid; seeFile permissions |
t | sticky; seeFile permissions |
| Command | Effect on mask and subsequently created files |
|---|---|
umask a+r | Allow read permission for all user classes; the rest of the mask is unchanged |
umask a-x | Prohibit execute permission for all user classes; the rest of the mask is unchanged |
umask a+rw | Allow read an write permission for all user classes; the rest of the mask bits are unchanged |
umask u=rw,go= | Allow read and write permission for the owner, while prohibiting execute permission for the owner; prohibit all permissions for the group and others |
umask 777 | Disallow all permissions for all classes; probably not useful because even the owner will not be able to read new files |
umask 000 | Allow read, write, and execute permission for all; potential security risk |
umask 077 | Allow read, write, and execute permission for the owner, but prohibit read, write, and execute permission for everyone else |
umask 0755 | Equivalent tou-rwx,go=w; the0 specifies that thespecial modes (setuid, setgid, sticky) may be enabled |
Assuming typical a mask value:u=rwx,g=rx,o=rx which allows all permissions except for write for group and others, the following example shows how a new file (created viatouch lacks write for group and others.
$touchfoo$ls-lfoo-rwxr-xr-x 1 me developer 6010 Jul 10 17:10 foo
The following example disallows write permission for the user class, then creates a file that has no write permission for the user class:
$umasku-w$umask-Su=rx,g=rx,o=rx$touchbar$ls-lbar-r--r--r-- 1 me developer 6010 Jul 10 17:15 bar
The following table indicates how a digit of the umask mask affects the permissions of a new file if the default permissions include all operations (rwx). The mask value is applied by first negating (complementing) the mask, and then performing a logical AND with the default file mode.[5]
| mask octal digit | binary | negated binary | logical AND with default "rwx"[6] |
|---|---|---|---|
| 0 | 000 | 111 | rwx |
| 1 | 001 | 110 | rw- |
| 2 | 010 | 101 | r-x |
| 3 | 011 | 100 | r-- |
| 4 | 100 | 011 | -wx |
| 5 | 101 | 010 | -w- |
| 6 | 110 | 001 | --x |
| 7 | 111 | 000 | --- |
Many operating systems do not allow a file to be created with execute permissions and therefore newly created files have no execute permission regardless of the umask mask.
In general, the umask mask is only used when creating a file. However, for some implementations of thechmod command, when using symbolic notation and no user is specified, the mask is applied to the requested permissions before they are applied to the file. For example:
$umask0000$chmod+rwxfilename$ls-lfilename-rwxrwxrwx filename$umask0022$chmod+rwxfilename$ls-lfilename-rwxr-xr-x filename
In theLinux kernel, thefat,hfs,hpfs,ntfs, andudffile system drivers support aumaskmount option, which controls how the disk information is mapped to permissions. This is not the same as the per-process mask described above, although the permissions are calculated in a similar way. Some of these file system drivers also support separate masks for files and directories, using mount options such asfmask.