The umask
The umask (UNIX shorthand for "user file-creation mode mask") is a four-digit octal number that UNIX uses to determine the file permission for newly created files. Every process has its own umask, inherited from its parent process.
The umask specifies the permissions you do not want given by default to newly created files and directories. umask works by doing a bitwise AND with the bitwise complement of the umask. Bits that are set in the umask correspond to permissions that are not automatically assigned to newly created files.
By default, most UNIX versions specify an octal mode of 666 (any user can read or write the file) when they create new files.Likewise, new programs are created with a mode of 777 (any user can read, write, or execute the program). Inside the kernel, the mode specified in the open call is masked with the value specified by the umask - thus its name.
We don't believe there is any religious significance to this, although we do believe that making files readable and writable by everyone leads to many evil deeds.
Normally, you or your system administrator set the umask in your .login, .cshrc, or .profile files, or in the system /etc/profile file. For example, you may have a line that looks like this in one of your startup files:
# Set the user's umask umask 033
When the umask is set in this manner, it should be set as one of the first commands. Anything executed prior to the umask command will have its prior, possibly unsafe, value.
Under SVR4 you can specify a default umask value in the /etc/defaults/login file. This umask is then given to every user that executes the login program. This method is a much better (and more reliable) means of setting the value for every user than setting the umask in the shell's startup files.
The umask Command
An interface to the umask function is a built-in command in the sh, ksh, and csh shell programs. (If umask were a separate program, then typing umask wouldn't change the umask value for the shell's process! A umask ( ) system call for programs that wish to further change their umask also exists.
The most common umask values are 022, 027, and 077. A umask value of 022 lets the owner both read and write all newly created files, but everybody else can only read them:
|
0666 |
default file-creation mode |
|
(0022) |
umask |
|
0644 |
resultant mode |
A umask value of 077 lets only the file's owner read all newly created files:
|
0666 |
default file-creation mode |
|
(0077) |
umask |
|
0600 |
resultant mode |
A simple way to calculate umask values is to remember that the number 2 in the umask turns off write permission, while 7 turns off read, write, and execute permission.
A umask value of 002 is commonly used by people who are working on group projects. If you create a file with your umask set to 002, anyone in the file's group will be able to read or modify the file. Everybody else will only be allowed to read it:
|
0666 |
default file-creation mode |
|
(0002) |
umask |
|
0664 |
resultant mode |
If you use the Korn shell, ksh, then you can set your umask symbolically. You do this with the same general syntax as the chmod command. In the ksh, the following two commands would be equivalent:
% umask u=rwx,g=x,o=
% umask 067
Common umask Values
On many UNIX systems, the default umask is 022. This is inherited from the init process, as all processes are descendants of init. Some systems may be configured to use another umask value, or a different value may be set in the startup files.
The designers of these systems chose this umask value to foster sharing, an open computing environment, and cooperation among users. Most prototype user accounts shipped with UNIX operating systems specify 022 as the default umask, and many computer centers use this umask when they set up new accounts. Unfortunately, system administrators frequently do not make a point of explaining the umask to novice users, and many users are not aware that most of the files they create are readable by every other user on the system.
A recent trend among computing centers has been to set up new accounts with a umask of 077, so a user's files will, by default, be unreadable by anyone else on the system unless the user makes a conscious choice to make them readable.
Here are some common umask values and their effects:
|
umask |
User Access |
Group Access |
Other |
|
0000 |
all |
all |
all |
|
0002 |
all |
all |
read, execute |
|
0007 |
all |
all |
none |
|
0022 |
all |
read, execute |
read, execute |
|
0027 |
all |
read, execute |
none |
|
0077 |
all |
none |
rwx
124