What is "umask" and how does it work?
The umask acts as a set of permissions that applications cannot set on files. It's a file mode creation mask for processes and cannot be set for directories itself. Most applications would not create files with execute permissions set, so they would have a default of 666
, which is then modified by the umask.
As you have set the umask to remove the read/write bits for the owner and the read bits for others, a default such as 777
in applications would result in the file permissions being 133
. This would mean that you (and others) could execute the file, and others would be able to write to it.
If you want to make files not be read/write/execute by anyone but the owner, you should use a umask like 077
to turn off those permissions for the group & others.
In contrast, a umask of 000
will make newly created directories readable, writable and descendible for everyone (the permissions will be 777
). Such a umask is highly insecure and you should never set the umask to 000
.
The default umask on Ubuntu was 022
which means that newly created files are readable by everyone, but only writable by the owner:
user@computer:~$ touch new-file-name
user@computer:~$ ls -dl new-file-name
-rw-r--r-- 1 user user 0 Apr 1 19:15 new-file-name
Starting in Ubuntu Oneiric (11.10) the default umask was relaxed to 002
, which expands write-access to the owner's group:
user@computer:~$ touch new-file-name
user@computer:~$ ls -dl new-file-name
-rw-rw-r-- 1 user user 0 Apr 1 19:15 new-file-name
Viewing and modifying umask
To view your current umask setting, open a terminal and run the command:
umask
To change the umask setting of the current shell to something else, say 077, run:
umask 077
To test whether this setting works or not, you can create a new file (file permissions of an existing file won't be affected) and show information about the file, run:
user@computer:~$ touch new-file-name
user@computer:~$ ls -dl new-file-name
-rw------- 1 user user 0 Apr 1 19:14 new-file-name
The umask setting is inherited by processes started from the same shell. For example, start the text editor GEdit by executing gedit
in the terminal and save a file using gedit. You'll notice that the newly created file is affected by the same umask setting as in the terminal.
Use case: multi-user system
If you are on a system that's shared by multiple users, it's desired that others cannot read files in your home directory. For that, a umask is very useful. Edit ~/.profile
and add a new line with:
umask 007
You need to re-login for this umask change in ~/.profile
to take effect. Next, you need to change existing file permissions of files in your home directory by removing the read, write and execute bit for the world. Open a terminal and execute:
chmod -R o-rwx ~
If you want this umask setting be applied to all users on the system, you could edit the system-wide profile file at /etc/profile
.
In addition to the good discussion in the accepted answer, it is worth adding some more points about umask
, with reference to how it is managed in 12.04 and onwards.
Umask and pam_umask
The default umask is now in /etc/login.defs
and not in /etc/profile
, as the official note in /etc/profile
reads:
# The default umask is now handled by pam_umask.
# See pam_umask(8) and /etc/login.defs.
Pam_umask
is briefly explained below, and it should be said that the default file for the user to place his custom umask setting in is still ~/.profile
.
Pam_umask
is one of many important PAM modules that are crucial in Ubuntu's operation (run apropos '^pam_'
to find the manpages for the other ones). In the manpage for pam_umask
it is noted that
pam_umask is a PAM module to set the file mode creation mask of the current environment. The umask affects the default permissions assigned to newly created files.
A note on the default umask
New folders in $HOME
can be created by mkdir
with default 775 permissions and files created with touch
with default 664 permissions even when the default umask is 022. This seems, at first, contradictory, and is worth explaining.
While the default umask is 022 on Ubuntu, this is not the whole story, as there is a setting in /etc/login.defs
that allows the umask to be 002 for non-root users if a condition is met (see excerpt below). On a normal installation, /etc/login.defs
contains the setting USERGROUPS_ENAB yes
. This is what
Enables setting of the umask group bits to be the same as owner bits (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is the same as gid, and username is the same as the primary group name.
Hence why you see the following with stat
when a new folder is created with mkdir
on a single user system such as mine (uid and gid are the same):
Access: (0775/drwxrwxr-x) Uid: ( 1000/username) Gid: ( 1000/username)
For more information, see man pam_umask
and the
Ubuntu manpages online.
Others answered have explained really well the concept of umasking and why it's required. Let me add my two cents, and give you a mathematical example on how the permissions are actually calculated.
First of all, “mask” does not mean “subtract”, in the arithmetic sense – there is no borrow or carry involved, secondly, the umask
is a mask; it is not a number to be subtracted.
Third, the mask turns off permission bits. If they are already off, the umask
makes no change to the permission,
For example, assume that you have to unmask 077
from the system defaults for files which is 666
and directories which is 777
.
The command you will use is
umask 077
(unmask value in binary, 000 111 111
)
What this unmask will do is it will turn off any of the first six LSBs (least significant bits) if they are 1
and will make no change if any of them are already off.
Here is how the final permission is calculated:
file permission 666 = 110 110 110
unmask value 077 = 000 111 111
will result in 600 = 110 000 000
Observe how both 110
values have changed to 000
.
Similarly,
directory permission 777 = 111 111 111
unmask value 077 = 000 111 111
will result in 700 = 111 000 000