Unix tip: Making umask work for you

Halloween has come and gone. In fact, so has Thanksgiving. But some masks are always appropriate – not because we’re trying to inspire people to give us candy, but because it’s just too easy to end up with file permissions that don’t reflect the security constraints that work best for us. To help with that, we Unix and Linux users have umask.

The umask setting provides default permissions for any files or directories that you create. If you want that default behavior to ensure that only you can see the files you create, you use one setting. If you want all of your files to be shared by default with people in your core group, you use a different one. The process is easy and fairly straightforward except for one thing. You have to think in a way that may be a bit unusual. The umask setting is, after all, a mask and that implies that it works in a way that is opposite of the way settings normally work.

Using a mask

A 0 in your umask setting doesn’t mean that files you create will be set up with no permissions at all (i.e., with all permissions being denied). Instead, it means that all permissions will be assigned. When using a umask set to 000, for example, directories that you create will be set up with read, write, and execute permissions for everyone. Here’s an example of how it works:

$ umask 000
$ mkdir open
$ ls -ld open
drwxrwxrwx 2 bugfarm techstaff 4096 Nov 29 12:34 open

Setting umask to 000 and creating a directory, you end up with the same result as creating a directory and then setting its permissions to 777. Set your umask to 777 and you’ll get the opposite effect. Directories that you create will provide no permissions to anyone.

$ umask 777
$ mkdir closed
$ ls -ld closed
d--------- 2 bugfarm techstaff 4096 Nov 29 12:45 closed

Umask settings are generally not set to 000 or 777 as they’d leave our files too open or too closed. Let’s take a look at more common settings and how they work.

Checking your umask

You can use the umask command without arguments to display your current setting.

$ umask
0007

The setting is usually configured by your shell’s main configuration file – such as /etc/bashrc which might have something like this:

if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
       umask 002
    else
       umask 022
    fi

In this case, all users with UIDs of 200 and above (presumably user accounts rather than system accounts) will get a umask setting of 002 which means that those users and individuals in their primary group will be given the same permissions to files and directories, but that everyone else will have reduced permissions.

The other thing that you may notice in this segment of code is that it’s checking whether the group and username are the same with the id -gn and id -un commands before using the 002 setting. So, the user and group settings are only the same if the user is in a group of his own. Your system may not be set up that way.

And, of course, you can change your umask setting either interactively or by changing it within your personal shell startup file (e.g., ~/.bashrc).

But what exactly do those 002 and 022 settings mean? The 002 setting indicates that the permissions we’ll assign to directories will be 775. The 022 setting means the permissions will be 755. If we think of these settings as binary numbers, every 1 becomes a 0 and every 0 becomes a 1. The table below shows how each digit is translated.

The “Mask Value” settings in this table, such as 110 indicate the permissions that will be given (read and write, but not execute) for the particular owner, group member, or other.

There is a difference, however, is how the umask is applied to files and directories. Since we don’t have a separate mask setting for each, we instead have a difference in how the setting is applied. The basic rule is: files are never given execute permission through the umask setting. If your umask setting is 770, directories you create will be set to rwxrwx—. Files, on the other hand, will only get rw-rw—-. You have to intentionally give the files execute permission with the chmoc command. They will not get it simply based on your umask setting.