umask
 | This article needs additional citations for verification. (March 2017) |
| Original author(s) | AT&T Bell Laboratories |
|---|---|
| Developer(s) | Various open-source and commercial developers |
| Initial release | 1978 |
| Operating system | Unix and Unix-like |
| Platform | Cross-platform |
| Type | Command |
umask is a shell command that reports or sets the mask value that limits the file permissions for a newly created files in many Unix and Unix-like file systems. A system call with the same name, umask(), provides access to the mask value stored in the operating system (OS), and the command provides shell user access to the system call. Additionally, the mask value, formally file mode creation mask, is often referred to as the umask.
When a new file is created, its access permissions are restricted by the stored umask mask value. The file's permission bits that each grant access are cleared by corresponding bits of the mask that are set. Set bits of the mask disallow the permission and clear bits of the mask allow the permission. The otherwise default value of a file's permissions is defined elsewhere. The mask just prevents corresponding bits of the default. The mask acts as a last-stage filter that strips away permissions as a file is created; each bit that is set strips away its corresponding permission. Permissions may be changed later including via the chmod command.
The operating system maintains a umask mask value for each process that is accessible via the umask command and umask() system call. When a process spawns a new process, the child inherits the mask from its parent.[1]
Generally, the mask only affects file permissions during the creation of new files; however, the chmod command checks the mask when the mode options are specified using symbolic mode and a reference to a class of users is not specified.
The umask command is used with Unix-like operating systems, and the umask() system call is defined in the POSIX.1 specification.
History
[edit]Before the umask capability (command, system call and stored value) was introduced to Unix, developers used various mechanisms to restrict access in order to prevent security breach. The umask capability was introduced around 1978, in the seventh edition of the operating system,[2] to allow sites, groups and individuals to choose their own defaults. The capability has been implemented in most, if not all, contemporary Unix-like operating systems.
Shell command
[edit]Read
[edit]With no parameter, the umask command reports the stored mask either as octal or symbolic notation, depending on the implementation.[3][4] In some shells, the -S option selects symbolic notation. For example:
$ umask
0022
$ umask -S
u=rwx,g=rx,o=rx
Set as octal
[edit]Invoked with an octal parameter, the command updates the stored mask to input value:
$ umask 007
$ umask
0007
$ umask -S
u=rwx,g=rwx,o=
As normal for a numeric representation, if fewer than 4 digits are entered, leading zeros are assumed. But the command fails if the input is more than 4 digits. This is notable since some languages (i.e. C) use a leading zero to denote octal format for a literal, but umask does support this notation.
The last three digits encode the user, group and others classes, respectively. If a fourth digit is present, the first digit addresses the three special attributes: setuid, setgid and sticky bit.
| Digit | Effect |
|---|---|
| 0 | any permission may be set (read, write, execute) |
| 1 | setting of execute permission is prohibited (read and write) |
| 2 | setting of write permission is prohibited (read and execute) |
| 3 | setting of write and execute permission is prohibited (read only) |
| 4 | setting of read permission is prohibited (write and execute) |
| 5 | setting of read and execute permission is prohibited (write only) |
| 6 | setting of read and write permission is prohibited (execute only) |
| 7 | all permissions are prohibited from being set (no permissions) |
Set via symbolic notation
[edit]When umask is invoked with a parameter in symbolic notation, it modifies the stored mask so that a newly created file is allowed to have the permissions added and disallowed to have the permissions removed. The logic is backwards from the mask value. Adding a permission clears the associated bit of the mask so that the permission is allowed when a file is created. Removing a permission sets the associated bit so that the permission is disallowed when a file is created.
Changes to the mask in symbolic notation are expressed as [classes]+|-|=operations; with multiple expressions separated by comma and the last terminated by a space.
This syntax does not work in C shell due to the different behavior of its umask command.
Class is specified as u for user, g for group, o for others or a combination of these letters to select multiple. If not specified or a, then all classes are selected, same as ugo.
The operator specifies how the mask is modified. + allows the specified permissions without changing unspecified permissions. - disallows permissions without changing unspecified permissions. = allows the specified permissions and disallows the unspecified permissions of the class.
The following table describes the operations (and flags) than can be allowed or prohibited.
| Symbol | Description |
|---|---|
r |
read a file or list a directory's contents |
w |
write to a file or directory |
x |
execute a file or recurse a directory tree |
X |
special execute; see Symbolic modes |
s |
setuid/gid; see File permissions |
t |
sticky; see File permissions |
Examples
[edit]| Command | Effect on mask and subsequently created files |
|---|---|
umask a+r |
Allow read permission for all user classes; the rest of the mask is unchanged |
umask a-x |
Prohibit execute permission for all user classes; the rest of the mask is unchanged |
umask a+rw |
Allow read an write permission for all user classes; the rest of the mask bits are unchanged |
umask u=rw,go= |
Allow read and write permission for the owner, while prohibiting execute permission for the owner; prohibit all permissions for the group and others |
umask 777 |
Disallow all permissions for all classes; probably not useful because even the owner will not be able to read new files |
umask 000 |
Allow read, write, and execute permission for all; potential security risk |
umask 077 |
Allow read, write, and execute permission for the owner, but prohibit read, write, and execute permission for everyone else |
umask 0755 |
Equivalent to u-rwx,go=w; the 0 specifies that the special modes (setuid, setgid, sticky) may be enabled
|
Assuming typical a mask value: u=rwx,g=rx,o=rx which allows all permissions except for write for group and others, the following example shows how a new file (created via touch lacks write for group and others.
$ touch foo
$ ls -l foo
-rwxr-xr-x 1 me developer 6010 Jul 10 17:10 foo
The following example disallows write permission for the user class, then creates a file that has no write permission for the user class:
$ umask u-w
$ umask -S
u=rx,g=rx,o=rx
$ touch bar
$ ls -l bar
-r--r--r-- 1 me developer 6010 Jul 10 17:15 bar
File creation
[edit]The following table indicates how a digit of the umask mask affects the permissions of a new file if the default permissions include all operations; rwx. The mask value is applied by first negating (complementing) the mask, and then performing a logical AND with the default file mode.[5]
| mask octal digit |
binary | negated binary |
logical AND with default "rwx"[6] |
|---|---|---|---|
| 0 | 000 | 111 | rwx |
| 1 | 001 | 110 | rw- |
| 2 | 010 | 101 | r-x |
| 3 | 011 | 100 | r-- |
| 4 | 100 | 011 | -wx |
| 5 | 101 | 010 | -w- |
| 6 | 110 | 001 | --x |
| 7 | 111 | 000 | --- |
Many operating systems do not allow a file to be created with execute permissions and therefore newly created files have no execute permission regardless of the umask mask.
Use outside file creation
[edit]In general, the umask mask is only used when creating a file. However, for some implementations of the chmod command, when using symbolic notation and no user is specified, the mask is applied to the requested permissions before they are applied to the file. For example:
$ umask 0000
$ chmod +rwx filename
$ ls -l filename
-rwxrwxrwx filename
$ umask 0022
$ chmod +rwx filename
$ ls -l filename
-rwxr-xr-x filename
Mount option
[edit]In the Linux kernel, the fat, hfs, hpfs, ntfs, and udf file system drivers support a umask mount option, which controls how the disk information is mapped to permissions. This is not the same as the per-process mask described above, although the permissions are calculated in a similar way. Some of these file system drivers also support separate masks for files and directories, using mount options such as fmask.
See also
[edit]
References
[edit]- ^ "umask(2)", Linux Programmer's Manual release 3.32 (manual), Linux man-pages project, 9 January 2008, retrieved 2013-01-01
- ^ "UNIX 7th Edition Manual, Bell Labs UNIX". Manual. AT&T Laboratories. Retrieved 2019-05-14.
- ^ Olczak, Anatole (2019-06-09). "Korn Shell: Unix and Linux Programming Manual". Oreilly. Addison-Wesley Professional. Retrieved 2013-01-14.
- ^ "umask", The Single UNIX Specification, Version 2 (manual), The Open Group, 1997, retrieved 2013-01-14
- ^ "UNIX 8th Edition Manual, Bell Labs UNIX". Manual. AT&T Laboratories. Retrieved 2013-01-14.
- ^ Note: Operating systems usually will also strip off execute permissions on newly created files.
| File system | |
|---|---|
| Processes | |
| User environment | |
| Text processing | |
| Shell builtins | |
| Searching | |
| Documentation | |
| Software development | |
| Miscellaneous | |
| |
