umask (abbreviated from user mask) is a command and a function in POSIX environments that sets the file mode creation mask of the current process. The file mode creation mask (also known as the umask) limits the permission modes for files and directories subsequently created by the process. A process is free to change the umask at any time and its value is inherited by any child processes created later. When a shell or other program is creating a file or directory, it specifies the permissions to be granted. The operating system then removes from those the permissions that the file mode creation mask does not allow.
Effect of the umask
The umask only restricts permissions; it cannot grant extra permissions beyond what is specified by the program that creates the file or directory. When programs create files, they usually specify read and write permissions for all users, and no execute permissions at all (rw-rw-rw- or octal 666 in traditional Unix notation). Files created in this way will not be executable even if the umask would have allowed that.
On the other hand, when programs create directories, they usually specify read, write, and execute permissions for all users (rwxrwxrwx or octal 777). Directories created in this way will thus be searchable unless the umask restricts that.
The umask shell command changes the umask of the shell process, and all processes subsequently started from the shell then inherit the new umask. System administrators may set a default umask for everyone in an initialization script, but of course, individual users can override that choice in their own login scripts.
Modern Unix systems allow umasks to be specified in two ways:
- A default permission, also called a Symbolic Umask. E.g. u=rwx,g=rwx,o=
- An octal number that controls which permissions will be masked (not set) for any newly created file, e.g. 022.
A umask set to u=rwx,g=rwx,o= will result in new files having the modes -rw-rw—-, and new directories having the modes drwxrwx—, if the creating programs specify the typical modes.
Symbolic umask example
$ umask u=rwx,g=rwx,o= $ mkdir fu $ touch bar $ ls -l drwxrwx--- 2 dave dave 512 Sep 1 20:59 fu -rw-rw---- 1 dave dave 0 Sep 1 20:59 bar
Octal umasks are calculated via the bitwise AND of the unary complement of the argument (using bitwise NOT) and the permissions specified by the program: typically 666 in the case of files, and 777 in the case of directories.
The octal notation is as follows:
0 – read, write and execute 1 – read and write 2 – read and execute 3 – read only 4 – write and execute 5 – write only 6 – execute only 7 – no permissions
A common umask value is 022 (masking out the write permission for the group and others), which ensures that new files are only writable for the owner (i.e. the user who created them). Another common value is 002, which leaves the write permission for the file’s group enabled. This can be used for files in shared workspaces, where several users work with the same files.
Early UNIX systems were often used by relatively small groups of close colleagues who found it convenient to have most files read/write by everyone. PWB/UNIX evolved in a computer center environment to serve hundreds of users from different organizations. Its developers had combed through the commands to make key file creation modes more restrictive, especially for cases exposing security holes, but this was not a general solution. The addition of umask (around 1978) allowed sites, groups, and individuals to chose their own defaults. Small close groups might choose 000, computer centers 022, security-conscious groups 066.
Octal umask examples
Assuming the umask has the value 174, any new file will be created with the permissions 602 and any new directory will have permissions 603 because:
6668 AND NOT(1748) = 6028
7778 AND NOT(1748) = 6038
7778 = (111 111 111)2 1748 = (001 111 100)2 NOT(001 111 100)2 = (110 000 011)2 (111 111 111)2 AND (110 000 011)2 = (110 000 011)2 7778 NOT (174)8 (603)8
$ umask 0174 $ mkdir foo $ touch bar $ ls -l drw-----wx 2 dave dave 512 Sep 1 20:59 foo -rw-----w- 1 dave dave 0 Sep 1 20:59 bar
Using the above mask, octal 1 prevents user execute bit being set, octal 7 prevents all group bits being set, and octal 4 prevents the read bit being set for others.
In the Linux kernel, the fat, hfs, hpfs, ntfs, and udf file system drivers support a umask mount option, which controls how the on-disk information is mapped to Unix permissions. This is not the same as the per-process umask described above, although the permissions are calculated in a similar way. Some of these file system drivers also support separate umasks for files and directories, using mount options such as fmask.
- chmod used to change the permissions of an existing file/directory.
- ^ “Setting Permissions”. The GNU C Library Reference Manual. Free Software Foundation. http://www.gnu.org/software/libc/manual/html_node/Setting-Permissions.html. Retrieved August 3, 2009.
- ^ “Perl functions: open“. Perl 5 version 10.0 documentation. http://perldoc.perl.org/functions/open.html. Retrieved August 3, 2009. “The file is created with permissions of 0666 modified by the process’ umask value.”
- ^ “fopen(3)”. FreeBSD Library Functions Manual (FreeBSD 7.0). The FreeBSD Project. http://www.freebsd.org/cgi/man.cgi?query=fopen&sektion=3&manpath=FreeBSD+7.0-RELEASE. Retrieved August 3, 2009. “Any created files will have mode “S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH” (0666), as modified by the process’ umask value (see umask(2)).”
- ^ “Perl functions: mkdir“. Perl 5 version 10.0 documentation. http://perldoc.perl.org/functions/mkdir.html. Retrieved August 3, 2009. “If omitted, MASK defaults to 0777.”
- ^ “mkdir(1)”. HP-UX Reference Volume 1 of 5. Hewlett-Packard Development Company, L.P.. http://docs.hp.com/en/B2355-90680/mkdir.1.html. Retrieved August 3, 2009. “mkdir creates specified directories in mode 0777 (possibly altered by umask unless specified otherwise by a -m mode option (see umask(1).”