Chapter 5. Managing file permissions

5.1. Setting default permissions for new files using umask

When a process creates a file, the file has certain default permissions, for example, -rw-rw-r--. These initial permissions are partially defined by the file mode creation mask, also called file permission mask or umask. Every process has its own umask, for example, bash has umask 0022 by default. Process umask can be changed.

5.1.1. What umask consists of

A umask consists of bits corresponding to standard file permissions. For example, for umask 0137, the digits mean that:

  • 0 = no meaning, it is always 0 (umask does not affect special bits)
  • 1 = for owner permissions, the execute bit is set
  • 3 = for group permissions, the execute and write bits are set
  • 7 = for others permissions, the execute, write, and read bits are set

Umasks can be represented in binary, octal, or symbolic notation. For example, the octal representation 0137 equals symbolic representation u=rw-,g=r--,o=---. Symbolic notation specification is the reverse of the octal notation specification: it shows the allowed permissions, not the prohibited permissions.

5.1.2. How umask works

Umask prohibits permissions from being set for a file:

  • When a bit is set in umask, it is unset in the file.
  • When a bit is not set in umask, it can be set in the file, depending on other factors.

The following figure shows how umask 0137 affects creating a new file.

Figure 5.1. Applying umask when creating a file

Users Groups Umask Example
Important

For security reasons, a regular file cannot have execute permissions by default. Therefore, even if umask is 0000, which does not prohibit any permissions, a new regular file still does not have execute permissions. However, directories can be created with execute permissions:

[john@server tmp]$ umask 0000
[john@server tmp]$ touch file
[john@server tmp]$ mkdir directory
[john@server tmp]$ ls -lh .
total 0
drwxrwxrwx. 2 john john 40 Nov  2 13:17 directory
-rw-rw-rw-. 1 john john  0 Nov  2 13:17 file

5.1.3. Managing umask in Shells

For popular shells, such as bash, ksh, zsh and tcsh, umask is managed using the umask shell builtin. Processes started from shell inherit its umask.

5.1.3.1. Displaying the current mask in octal notation

To display the current umask in octal notation, use this procedure.

Procedure

  • Run the following command:

    $ umask
    0022

5.1.3.2. Displaying the current mask in symbolic notation

To display the current umask in symbolic notation, use this procedure.

Procedure

  • Run the following command:

    $ umask -S
    u=rwx,g=rx,o=rx

5.1.3.3. Setting mask in shell using umask with octal notation

To set umask for the current shell session using octal notation, use this procedure.

Procedure

  • Run the following command:

    $ umask octal_mask

Substitute octal_mask with four or less digits from 0 to 7. When three or less digits are provided, permissions are set as if the command contained leading zeros. For example, umask 7 translates to 0007.

Example 5.1. Setting umask using octal notation

To prohibit new files from having write and execute permissions for owner and group, and from having any permissions for others:

$ umask 0337

Or:

$ umask 337

5.1.3.4. Setting mask in shell using umask with symbolic notation

To set umask for the current shell session using symbolic notation, use this procedure.

Procedure

  • Run the following command:

    $ umask -S symbolic_mask

Example 5.2. Setting umask using symbolic notation

To set umask 0337 using symbolic notation:

$ umask -S u=r,g=r,o=

5.1.3.5. Working with the default shell umask

Shells usually have a configuration file where their default umask is set. For bash, the default configuration file is /etc/bashrc.

This section describes how to display and change the default bash umask, and how to do this for a specific user.

5.1.3.5.1. Displaying the default bash umask

To display the default bash umask, use this procedure.

Procedure

  • Run the following command:

    $ grep -i -B 1 umask /etc/bashrc

    The output shows if umask is set, either using the umask command or the UMASK variable. In this example, umask is set to 022 using the umask command:

    grep -i -B 1 umask /etc/bashrc
        # By default, we want umask to get set. This sets it for non-login shell. —     if [ $UID -gt 199 ] && [ “id -gn” = “id -un” ]; then
           umask 002
        else
           umask 022
5.1.3.5.2. Changing the default bash umask

To change the default umask for bash, use this procedure.

Procedure

  • Change the umask command call or the UMASK variable assignment in /etc/bashrc to the required value of umask. This example changes the default umask to 0227:

        if [ $UID -gt 199 ] && [ “id -gn” = “id -un” ]; then
           umask 002
        else
           umask 227
5.1.3.5.3. Changing the default bash umask for a specific user

By default, bash umask of a new user defaults to the one defined in /etc/bashrc.

To change bash umask for a particular user, use this procedure.

Procedure

  • Add a call to the umask command in $HOME/.bashrc file of that user. For example, to change bash umask of user john to 0227:

    john@server ~]$ echo 'umask 227' [] /home/john/.bashrc

5.1.3.6. Setting default permissions for newly created home directories

To change permissions with which user home directories are created, use this procedure.

Procedure

  • Change the UMASK variable in the /etc/login.defs file:

    # The permission mask is initialized to this value. If not specified,
    # the permission mask will be initialized to 022.
    UMASK 077