umask is a command that determines the settings of a mask that controls how file permissions are set for newly created files. It may also affect how the file permissions are changed explicitly.
umask is also a function that sets the mask, or it may refer to the mask itself, which is formally known as the file mode creation mask. The mask is a grouping of bits, each of which restricts how its corresponding permission is set for newly created files. The bits in the mask may be changed by invoking the
In Unix-like systems, each file has a set of attributes that control who can read, write or execute it. When a program creates a file the file permissions are restricted by the mask. If the mask has a bit set to "1", then the corresponding initial file permission will be disabled. A bit set to "0" in the mask means that the corresponding permission will be determined by the program and the file system. In other words, the mask acts as a last-stage filter that strips away permissions as a file is created; each bit that is set to a "1" strips away its corresponding permission. Permissions may be changed later by users and programs using
Each program (technically called a process) has its own mask and is able to change its settings using a function call. When the process is a shell, the mask is set with the
umask command. When a shell or process launches a new process, the child process inherits the mask from its parent process. Generally, the mask only affects file permissions during the creation of new files and has no effect when file permissions are changed in existing files; however, the
chmod command will check the mask when the mode options are specified using symbolic mode and a reference to a class of users is not specified.
The mask is stored as a group of bits. It may be represented as binary, octal or symbolic notation. The
umask command allows the mask to be set as octal (e.g.
0754) or symbolic (e.g.
The mask, the
umask command and the
umask function were not part of the original implementation of UNIX. The operating system evolved in a relatively small computer-center environment, where security was not an issue. It eventually grew to serve hundreds of users from different organizations. At first, developers made creation modes for key files more restrictive, especially for cases of actual security breaches, but this was not a general solution. The mask and the
umask command were introduced around 1978, in the seventh edition of the operating system, so it could allow sites, groups and individuals to choose their own defaults. The mask has since been implemented in most, if not all, of the contemporary implementations of Unix-like operating systems.
In a shell, the mask is set by using the
umask command. The syntax of the command is:
umask [-S ] [maskExpression]
(The items within the brackets are optional.)
$ umask # display current value (as octal) 0022 $ umask -S # display current value symbolically u=rwx,g=rx,o=rx
umask command is invoked with an octal argument, it will directly set the bits of the mask to that argument:
$ umask 007 # set the mask to 007 $ umask # display the mask (in octal) 0007 # 0 - special permissions (setuid | setgid | sticky ) # 0 - (u)ser/owner part of mask # 0 - (g)roup part of mask # 7 - (o)thers/not-in-group part of mask $ umask -S # display the mask symbolically u=rwx,g=rwx,o=
If fewer than 4 digits are entered, leading zeros are assumed. An error will result if the argument is not a valid octal number or if it has more than 4 digits. The three rightmost octal digits address the "owner", "group" and "other" user classes respectively. If a fourth digit is present, the leftmost (high-order) digit addresses three additional attributes, the setuid bit, the setgid bit and the sticky bit.
|Octal digit in
||Permissions the mask will|
prohibit from being set during file creation
||any permission may be set (read, write, execute)|
||setting of execute permission is prohibited (read and write)|
||setting of write permission is prohibited (read and execute)|
||setting of write and execute permission is prohibited (read only)|
||setting of read permission is prohibited (write and execute)|
||setting of read and execute permission is prohibited (write only)|
||setting of read and write permission is prohibited (execute only)|
||all permissions are prohibited from being set (no permissions)|
umask is invoked using symbolic notation, it will modify or set the flags as specified by the maskExpression with the syntax:
Note that this syntax does not work when using the C shell due to the different behaviour of its built-in
Multiple maskExpressions are separated by commas.
A space terminates the maskExpression(s).
The permissions are applied to different user classes:
||group||users who are members of the file's group|
||others||users who are not the owner of the file or members of the group|
||all||all three of the above, the same as |
The operator specifies how the permission modes of the mask should be adjusted.
|Operator||Effect on the mask|
||permissions specified are enabled, permissions that are not specified are unchanged.|
||permissions specified are prohibited from being enabled, permissions that are not specified are unchanged.|
||permissions specified are enabled, permissions that are not specified are prohibited from being enabled.|
The permission-symbols indicate which file permission settings are to be allowed or prohibited by the mask.
||read||read a file or list a directory's contents|
||write||write to a file or directory|
||execute||execute a file or recurse a directory tree|
||special execute||See Symbolic modes.|
||setuid/gid||See File permissions.|
||sticky||See File permissions.|
Prohibit write permission from being set for the user. The rest of the flags in the mask are unchanged.
Example of multiple changes:
This would set the mask so that it would:
Here are more examples of using the
umask command to change the mask:
||How the mask will affect permissions of subsequently created files/directories|
||allows read permission to be enabled for all user classes; the rest of the mask bits are unchanged|
||prohibits enabling execute permission for all user classes; the rest of the mask bits are unchanged|
||allows read or write permission to be enabled for all user classes; the rest of the mask bits are unchanged|
||allows read, write or execute permission to be enabled for all user classes. (Note: On some UNIX platforms, this will restore the mask to a default.)|
||allow read and write permission to be enabled for the owner, while prohibiting execute permission from being enabled for the owner; prohibit enabling any permissions for the group and others|
||allow write permission to be enabled for the owner; prohibit write permission from being enabled for the group and others;|
||display the current mask in symbolic notation|
||disallow read, write, and execute permission for all (probably not useful because even owner cannot read files created with this mask!)|
||allow read, write, and execute permission for all (potential security risk)|
||allow read, write, and execute permission for the file's owner, but prohibit read, write, and execute permission for everyone else|
||allow read or write permission to be enabled for the owner and the group, but not execute permission; allow read permission to be enabled for others, but not write or execute permission|
||equivalent to |
Example showing effect of
$ umask -S # Show the (frequently initial) setting u=rwx,g=rx,o=rx $ gcc hello.c # compile and create executable file a.out $ ls -l a.out -rwxr-xr-x 1 me developer 6010 Jul 10 17:10 a.out $ # the umask prohibited Write permission for Group and Others $ ls > listOfMyFiles # output file created by redirection does not attempt to set eXecute $ ls -l listOfMyFiles -rw-r--r-- 1 me developer 6010 Jul 10 17:14 listOfMyFiles $ # the umask prohibited Write permission for Group and Others $ ############################################################ $ umask u-w # remove user write permission from umask $ umask -S u=rx,g=rx,o=rx $ ls > protectedListOfFiles $ ls -l protectedListOfFiles -r--r--r-- 1 me developer 6010 Jul 10 17:15 protectedListOfFiles $ rm protectedListOfFiles override r--r--r-- me/developer for protectedListOfFiles? $ # warning that protectedListOfFiles is not writable, answering Y will remove the file $ ##################################################################################### $ umask g-r,o-r # removed group read and other read from mask $ umask -S u=rx,g=x,o=x $ ls > secretListOfFiles $ ls -l secretListOfFiles -r-------- 1 me developer 6010 Jul 10 17:16 secretListOfFiles
The mask is applied whenever a file is created. If the mask has a bit set to "1", that means the corresponding file permission will always be disabled when files are subsequently created. A bit set to "0" in the mask means that the corresponding permission will be determined by the requesting process and the OS when files are subsequently created. In other words, the mask acts as a last-stage filter that strips away permissions as a file is created; each bit that is set to a "1" strips away that corresponding permission for the file.
Here is the truth table for the masking logic. Each bit in the requesting process' file permission mode is operated on by the mask using this logic to yield the permission mode that is applied to the file as it is created. ('p' is a bit in the requested file permission mode of a process that is creating a file; 'q' is a bit in the mask; 'r' is the resulting bit in the created file's permission mode)
|Octal digit in
|| Binary in
with "rwx" request
Programmatically, the mask is applied by the OS by first negating (complementing) the mask, and then performing a logical AND with the requested file mode. In the [probably] first UNIX manual to describe its function, the manual says,
the actual mode... of the newly-created file is the logical and of the given mode and the complement of the argument. Only the low-order 9 bits of the mask (the protection bits) participate. In other words, the mask shows [indicates] the bits to be turned off when files are created.-- UNIX Eighth Edition Manual, Bell Labs UNIX (manual), AT&T Laboratories
In boolean logic the application of the mask can be represented as:
Many operating systems do not allow a file to be created with execute permissions. In these environments, newly created files will always have execute permission disabled for all users.
The mask is generally only applied to functions that create a new file; however, there are exceptions. For example, when using UNIX and GNU versions of
chmod to set the permissions of a file, and symbolic notation is used, and no user is specified, then the mask is applied to the requested permissions before they are applied to the file. For example:
$ umask 0000 $ chmod +rwx filename $ ls -l filename -rwxrwxrwx filename $ umask 0022 $ chmod +rwx filename $ ls -l filename -rwxr-xr-x filename
Each process has its own mask, which is applied whenever the process creates a new file. When a shell, or any other process, spawns a new process, the child process inherits the mask from its parent process. When the process is a shell, the mask is changed by the
umask command. As with other processes, any process launched from the shell inherits that shell's mask.
In the Linux kernel, the
udf file system drivers support a
umask mount option, which controls how the disk information is mapped to permissions. This is not the same as the per-process mask described above, although the permissions are calculated in a similar way. Some of these file system drivers also support separate masks for files and directories, using mount options such as
umaskcommand does not use this type of prefix notation - only the octal digits are used.