umask
The umask utility is used to control the file-creation mode mask, which determines the initial value of file permission bits for newly created files. The behaviour of this utility is standardized by POSIX and described in the POSIX Programmer's Manual. Because umask affects the current shell execution environment, it is usually implemented as built-in command of a shell.
Meaning of the mode mask
The mode mask contains the permission bits that should not be set on a newly created file, hence it is the logical complement of the permission bits set on a newly created file. If some bit in the mask is set to 1, the corresponding permission for the newly created file will be disabled. Hence the mask acts as a filter to strip away permission bits and helps with setting default access to files.
The resulting value for permission bits to be set on a newly created file is calculated using bitwise material nonimplication (also known as abjunction), which can be expressed in logical notation:
R: (D & (~M))
That is, the resulting permissions R are the result of bitwise conjunction of default permissions D and the bitwise negation of file-creation mode mask M.
- Linux does not allow a file to be created with execution permissions, the default creation permissions are
777for directories and only666for files. - Under Linux, only the file permission bits of the mask are used - see umask(2). The suid, sgid and sticky bits of the mask are ignored.
For example, let us assume that the file-creation mode mask is 027. Here the bitwise representation of each digit represents:
-
0stands for the user permission bits not set on a newly created file -
2stands for the group permission bits not set on a newly created file -
7stands for the other permission bits not set on a newly created file
With the information provided by the table below this means that for a newly created file, for example owned by User1 user and Group1 group, User1 has all the possible permissions (octal value 7) for the newly created file, other users of the Group1 group do not have write permissions (octal value 5), and any other user does not have any permissions (octal value 0) to the newly created file. So with the 027 mask taken for this example, files will be created with 750 permissions.
| Octal | Binary | Meaning |
|---|---|---|
0 |
000 |
no permissions |
1 |
001 |
execute only |
2 |
010 |
write only |
3 |
011 |
write and execute |
4 |
100 |
read only |
5 |
101 |
read and execute |
6 |
110 |
read and write |
7 |
111 |
read, write and execute |
Display the current mask value
To display the current mask, simply invoke umask without specifying any arguments. The default output style depends on implementation, but it is usually octal:
$ umask
0027
When the -S option, standardized by POSIX, is used, the mask will be displayed using symbolic notation. However, the symbolic notation value will always be the logical complement of the octal value, i.e. the permission bits to be set on the newly created file:
$ umask -S
u=rwx,g=rx,o=
Set the mask value
useradd -m creates the directory with 700 permission by default), as they make all files within unaccessible to other users. Should this not be practical (for example when using Apache HTTP Server), and public files are stored amongst private ones, then consider restricting the umask instead.You can set the umask value through the umask command. The string specifying the mode mask follows the same syntactic rules as the mode argument of chmod (see the POSIX Programmer's Manual for details).
System-wide umask value can be set in /etc/profile (e.g. /etc/profile.d/umask.sh) or in the default shell configuration files (e.g. /etc/bash.bashrc). Most Linux distributions, including Arch, set a umask default value of 022 at /etc/login.defs. One can also set umask with pam_umask.so but it may be overridden by /etc/profile or similar.
If you need to set a different value, you can either directly edit such file, thus affecting all users, or call umask from your shell's user configuration file, e.g. ~/.bashrc to only change your umask, however these changes will only take effect after the next login. To change your umask during your current session only, simply run umask and type your desired value. For example, running umask 077 will give you read and write permissions for new files, and read, write and execute permissions for new folders.
As mentioned by pam_umask(8) § DESCRIPTION, umask=value can also be used in the /etc/passwd section of the Users and groups#User database. See the discussion about setting UMASK in GECOS field
Set umask value for KDE / Plasma
Setting the umask value via /etc/profile does no longer work for KDE / Plasma sessions because these are started as systemd user units.
The umask value can be set via pam_umask.so or a systemd drop-in file:
/etc/systemd/system/user@.service.d/override.conf
[Service] UMask=0002
Using pam_umask.so allows to set the system-wide umask value for both, text console and graphical KDE sessions in one single place. Any changes in /etc/profile or systemd configuration can be omitted. Therefore, pam_umask.so needs to be enabled in a configuration file that is included by both, /etc/pam.d/login and /etc/pam.d/systemd-user.
Add the following line to /etc/pam.d/system-login:
# session optional pam_umask.so umask=022
See also
- POSIX Programmer's Manual:
- umask (also available as umask(1p))
- chmod (extended description) (also available as chmod(1p))
- 027 umask: a compromise between security and simplicity