File and folder permissions in Linux are part of the POSIX standard. In this regard, a number of commands are available to us, such as chmod, chown, chgrp and umask. This article will cover the Linux umask command. This command specifies a set of permissions that will be applied to files and directories when they are created.
The settings specified by the command will only apply to new files. This article will look at the Linux umask command, its main parameters, as well as how to put them into practice.
Permissions in Linux
Since the umask command is used to set the default permissions, we must first figure out what the permissions are. As stated earlier, Linux follows the POSIX standards, making it a UNIX compatible operating system. In general, UNIX permissions fall into three categories:
- u (user) – user.
- g (group) – group.
- o (other) – other users.
Each category has three types of rights, and these rights are different for files and directories. For files:
- r ( read ) – read file.
- w ( write ) – change the file.
- x (e x ecute) – execute the file as a program.
- r ( read ) Reads a list of files.
- w ( w rite) – Modifies and creates files in a directory.
- x (e x ecute) – open files in a directory.
You can view the list of permissions with the command for files in any current directory with the following command:
You’ll see something like -rwxrw-r– , where the first character is for folders and symbolic links, and subsequent characters can be split into groups of three, for the categories u , g and o respectively.
With files, everything is clear, but for directories, the r and x parameters can introduce some ambiguity. If you forbid reading the list of files ( r ), then you will not be able to open a directory, but you can open and modify a file if you know its name, and creation of new files is also available. If you forbid opening files ( x ), then you will not be able to open the directory and read the files in it, but using the ls command you will get a list of files without any specifics in the form of permissions and file sizes.
By default, new files will have -rw-rw-r– permissions , where the first dash indicates that we have a file in front of us. For folders, the permissions will look like this: drwxrwxr-x , where d means that we are dealing with a folder ( l means a symbolic link).
Permissions can be expressed not only as a sequence of letters, but also in octal form, for example, for -rw-rw-r– the entry will look like this: 0664 . The default permissions for a file in Linux in octal format are written as 0666 , and for a directory as 0777 . In this case, 0 means nothing, and each digit means a set of rights for a particular group. First the owner, then the group, and then everyone else. But thanks to the mask in Linux, the default permissions for the file are 0664 , and for the directory 0775 . It is the setting of these values that is affected by the umask command.You can learn more about file permissions in our article .
How umask works
The umask command sets the permissions mask for new files and directories. When creating any file, the operating system requests a permissions mask and calculates the mask based on it. By default, the mask is 0002 . The first digit does not affect anything and is a relic of the syntax of the C language. Further numbers are similar to the permissions in Linux: the first is the owner, the second is the group and the third is everyone else. This mask is used to calculate file permissions. Without going into details, everything is calculated quite simply, the mask is taken away from the maximum rights and the rights for the file are obtained. In fact, it turns out that the mask contains permissions that will not be set for the file.So the default permissions for a file will be 666 – 002 = 664 , and for a directory – 777 – 002 = 775 .
Each digit of the mask 002 can be converted to the binary system. The last 2 describes the category other and in binary it looks like 010 . The bits are read from left to right and describe the rights of rwx. In this example, 1 means no writes, and zeros allow reading and execution. If there is a bitmask 100 , then it will be 4 in octal, then this will mean a ban on reading.
An important note is that using a mask will not allow the execution of files. The x flag with a mask can only be set for directories. Since file permissions are calculated based on permissions 666, in which execution is already disabled by rw-rw-rw, the mask cannot do anything here. But for directories, everything works, because permissions are 777. For clarity, the default mask can be represented as a table:
|mask in octal form||
One cannot but say that the command works within one terminal session and does not apply to the entire system and other sessions.
Syntax and umask options
The umask command, as mentioned earlier, defines the bitmask that will be applied to new files. The command has a fairly simple syntax and only a few options:
$ umask options octal_mask
In addition to the mask in octal, there is also a way to set default permissions similar to the syntax of the chmod command:
$ umask options u=right,g=right,o=right
- -p – output the umask command, which, when executed, will set the current mask in octal form;
- -S – display the default permissions for the folder in the format u=rwx, g=rwx, o=rwx calculated by the current mask.
There are two ways to view the current mask value. If you pass the -p option to the command, it will print a command to set the current mask:
The -S option prints the current permissions in the format u=rwx, g=rwx, o=rx , where x (execute) refers only to directories. Execute permission for files can only be given with chmod.
Now let’s look at how to set the mask:
As you can see, the fourth digit can be omitted. The mask can also be specified using more traditional notation:
Unlike a bitmask, permissions are written in this way, not prohibitions. In other words, the rights are set in exactly the same way as in chmod. In this example, we did not specify any rights for the other category, so all three operations are prohibited. For files, as in the case of a bitmask, the right to execute is not issued.
Rights groups can be combined, or you can set rights for all categories at once, using the a= (all) parameter.
It is also possible to work with individual rights. Using the + or – operator , you can enable or disable a certain action, the remaining bits in the mask will remain untouched.
Among other things, you can combine the two previous methods. For example, to allow the user all operations, and to remove the right to read to the group and other users.
Let’s move on to the most interesting – the use of the command in practice. Of the obvious, it is worth noting the addition of a command to any script. For example, you can prevent changes to files that will be written in the future. Recall that the command will operate within one terminal session.
In this example, when executing the script, it is necessary to have a default mask, so the umask command is written.
Another use case is not so secure. The command is written in the user’s configuration files. You can change the terminal shell mask by adding a line with the umask command in the ~/.bashsrc file . This is true for Debian based distributions. Other distributions may require editing the .profile file .
The global shell changes will take effect after adding a line to the /etc/bash.bashsrc file . But this mask has less weight than the one set in the home directory. However, you can set only the necessary rights for the user, and leave the rest from the global configuration. For example, for a user to set the parameter g+w , which will allow him to change the files of the group.
Changing the mask for all programs in the system is a non-trivial task that will require a lot of changes. Therefore, the local rights set by the setfacl command are used instead .
Comparison with chmod
There are three significant differences between the chmod and umask commands. First, umask sets the mask for new files, and chmod sets the permissions for existing ones. Second, if we talk about the mask, then umask has it inverse. If any bit in it is equal to 1, then this means that the corresponding operation is prohibited. Third, umask cannot grant execute permissions to a file. Even if you specify the mask 000 , which allows everything, then the file will be given the rights rw-rw-rw- .
Of the general, it is worth noting the similar syntax for granting rights through the operators = , + , – . Also, both commands are not able to change the owner and group, for this there are chown and chgrp commands . More sophisticated permissions management is done through the setfacl command , which allows you to set different permissions for individual users, groups, and directories, which extends the POSIX standard.
The Linux umask command allows you to set permissions for new files and directories. It will be useful if you want to set permissions in advance. But keep in mind that mask changes will only apply to the current terminal session, and that the command has little effect outside the terminal.