umask
The umask utility is used to control the file-creation mode mask, which determines the initial value of file permission bits for newly created files. The behaviour of this utility is standardized by POSIX and described in the POSIX Programmer's Manual. Because umask affects the current shell execution environment, it is usually implemented as built-in command of a shell.
Meaning of the mode mask
The mode mask contains the permission bits that should not be set on a newly created file, hence it is the logical complement of the permission bits set on a newly created file. If some bit in the mask is set to 1
, the corresponding permission for the newly created file will be disabled. Hence the mask acts as a filter to strip away permission bits and helps with setting default access to files.
The resulting value for permission bits to be set on a newly created file is calculated using bitwise material nonimplication (also known as abjunction), which can be expressed in logical notation:
R: (D & (~M))
That is, the resulting permissions R
are the result of bitwise conjunction of default permissions D
and the bitwise negation of file-creation mode mask M
.
- Linux does not allow a file to be created with execution permissions, the default creation permissions are
777
for directories and only666
for files. - Under Linux, only the file permission bits of the mask are used - see umask(2). The suid, sgid and sticky bits of the mask are ignored.
For example, let us assume that the file-creation mode mask is 027
. Here the bitwise representation of each digit represents:
0
stands for the user permission bits not set on a newly created file2
stands for the group permission bits not set on a newly created file7
stands for the other permission bits not set on a newly created file
With the information provided by the table below this means that for a newly created file, for example owned by User1
user and Group1
group, User1
has all the possible permissions (octal value 7
) for the newly created file, other users of the Group1
group do not have write permissions (octal value 5
), and any other user does not have any permissions (octal value 0
) to the newly created file. So with the 027
mask taken for this example, files will be created with 750
permissions.
Octal | Binary | Meaning |
---|---|---|
0 |
000 |
no permissions |
1 |
001 |
execute only |
2 |
010 |
write only |
3 |
011 |
write and execute |
4 |
100 |
read only |
5 |
101 |
read and execute |
6 |
110 |
read and write |
7 |
111 |
read, write and execute |
Display the current mask value
To display the current mask, simply invoke umask
without specifying any arguments. The default output style depends on implementation, but it is usually octal:
$ umask
0027
When the -S
option, standardized by POSIX, is used, the mask will be displayed using symbolic notation. However, the symbolic notation value will always be the logical complement of the octal value, i.e. the permission bits to be set on the newly created file:
$ umask -S
u=rwx,g=rx,o=
Set the mask value
useradd -m
creates the directory with 700
permission by default), as they make all files within unaccessible to other users. Should this not be practical (for example when using Apache HTTP Server), and public files are stored amongst private ones, then consider restricting the umask instead.You can set the umask value through the umask command. The string specifying the mode mask follows the same syntactic rules as the mode argument of chmod (see the POSIX Programmer's Manual for details).
System-wide umask value can be set in /etc/profile
(e.g. /etc/profile.d/umask.sh
) or in the default shell configuration files (e.g. /etc/bash.bashrc
). Most Linux distributions, including Arch, set a umask default value of 022
at /etc/login.defs
. One can also set umask with pam_umask.so
but it may be overridden by /etc/profile
or similar.
If you need to set a different value, you can either directly edit such file, thus affecting all users, or call umask
from your shell's user configuration file, e.g. ~/.bashrc
to only change your umask, however these changes will only take effect after the next login. To change your umask during your current session only, simply run umask
and type your desired value. For example, running umask 077
will give you read and write permissions for new files, and read, write and execute permissions for new folders.
As mentioned by pam_umask(8) § DESCRIPTION, umask=value
can also be used in the /etc/passwd
section of the Users and groups#User database. See the discussion about setting UMASK in GECOS field
Set umask value for KDE / Plasma
Setting the umask value via /etc/profile
does no longer work for KDE / Plasma sessions because these are started as systemd user units.
The umask value can be set via pam_umask.so
or a systemd drop-in file:
/etc/systemd/system/user@.service.d/override.conf
[Service] UMask=0002
Using pam_umask.so
allows to set the system-wide umask value for both, text console and graphical KDE sessions in one single place. Any changes in /etc/profile
or systemd configuration can be omitted. Therefore, pam_umask.so
needs to be enabled in a configuration file that is included by both, /etc/pam.d/login
and /etc/pam.d/systemd-user
.
Add the following line to /etc/pam.d/system-login
:
# session optional pam_umask.so umask=022
See also
- POSIX Programmer's Manual:
- umask (also available as umask(1p))
- chmod (extended description) (also available as chmod(1p))
- 027 umask: a compromise between security and simplicity