HOME

TheInfoList



OR:

In computing, umask is a
command Command may refer to: Computing * Command (computing), a statement in a computer language * COMMAND.COM, the default operating system shell and command-line interpreter for DOS * Command key, a modifier key on Apple Macintosh computer keyboards * ...
that determines the settings of a
mask A mask is an object normally worn on the face, typically for protection, disguise, performance, or entertainment and often they have been employed for rituals and rights. Masks have been used since antiquity for both ceremonial and practic ...
that controls how file permissions are set for newly created files. It may also affect how the file permissions are changed explicitly. is also a function that sets the mask, or it may refer to the mask itself, which is formally known as the ''file mode creation mask''. The mask is a grouping of
bit The bit is the most basic unit of information in computing and digital communications. The name is a portmanteau of binary digit. The bit represents a logical state with one of two possible values. These values are most commonly represented ...
s, each of which restricts how its corresponding permission is set for newly created files. The bits in the mask may be changed by invoking the command.


Overview

In Unix-like systems, each file has a set of attributes that control who can read, write or execute it. When a program creates a file, the file permissions are restricted by the mask. If the mask has a bit set to "1", then the corresponding initial file permission will be ''disabled''. A bit set to "0" in the mask means that the corresponding permission will be ''determined by the program'' and the
file system In computing, file system or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved. Without a file system, data placed in a storage medium would be one lar ...
. In other words, the mask acts as a last-stage filter that strips away permissions as a file is created; each bit that is set to a "1" strips away its corresponding permission. Permissions may be changed later by users and programs using
chmod In Unix and Unix-like operating systems, is the command and system call used to change the access permissions and the special mode flags (the ''setuid'', ''setgid'', and ''sticky'' flags) of file system objects ( files and directories). Col ...
. Each program (technically called a
process A process is a series or set of activities that interact to produce a result; it may occur once-only or be recurrent or periodic. Things called a process include: Business and management * Business process, activities that produce a specific s ...
) has its own mask and is able to change its settings using a function call. When the process is a
shell Shell may refer to: Architecture and design * Shell (structure), a thin structure ** Concrete shell, a thin shell of concrete, usually with no interior columns or exterior buttresses ** Thin-shell structure Science Biology * Seashell, a hard o ...
, the mask is set with the command. When a shell or process launches a new process, the child process inherits the mask from its parent process. Generally, the mask only affects file permissions during the creation of new files and has no effect when file permissions are changed in existing files; however, the command will check the mask when the mode options are specified using symbolic mode and a reference to a class of users is not specified. The mask is stored as a group of bits. It may be represented as binary,
octal The octal numeral system, or oct for short, is the base-8 number system, and uses the digits 0 to 7. This is to say that 10octal represents eight and 100octal represents sixty-four. However, English, like most languages, uses a base-10 number ...
or symbolic notation. The command allows the mask to be set as octal (e.g. ) or symbolic (e.g. ) notation. The command is used with Unix-like operating systems, and the function is defined in the
POSIX.1 The Portable Operating System Interface (POSIX) is a family of standards specified by the IEEE Computer Society for maintaining compatibility between operating systems. POSIX defines both the system- and user-level application programming interf ...
specification.


History

The mask, the command and the function were not part of the original implementation of
UNIX Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and ot ...
. The operating system evolved in a relatively small computer-center environment, where security was not an issue. It eventually grew to serve hundreds of users from different organizations. At first, developers made creation modes for key files more restrictive, especially for cases of actual security breaches, but this was not a general solution. The mask and the command were introduced around 1978, in the seventh edition of the operating system, so it could allow sites, groups and individuals to choose their own defaults. The mask has since been implemented in most, if not all, of the contemporary implementations of Unix-like operating systems.


Shell command

In a shell, the mask is set by using the command. The syntax of the command is: umask S askExpression (The items within the brackets are optional.)


Displaying the current mask

If the command is invoked without any arguments, it will display the current mask. The output will be in either
octal The octal numeral system, or oct for short, is the base-8 number system, and uses the digits 0 to 7. This is to say that 10octal represents eight and 100octal represents sixty-four. However, English, like most languages, uses a base-10 number ...
or symbolic notation, depending on the OS. In most shells, but not the
C shell The C shell (csh or the improved version, tcsh) is a Unix shell created by Bill Joy while he was a graduate student at University of California, Berkeley in the late 1970s. It has been widely distributed, beginning with the 2BSD release of the ...
, the argument (i.e. ) will instruct to display using symbolic notation. For example: $ umask # display current value (as octal) 0022 $ umask -S # display current value symbolically u=rwx,g=rx,o=rx


Setting the mask using octal notation

If the command is invoked with an octal argument, it will directly set the bits of the mask to that argument: $ umask 007 # set the mask to 007 $ umask # display the mask (in octal) 0007 # 0 - special permissions (setuid , setgid , sticky ) # 0 - (u)ser/owner part of mask # 0 - (g)roup part of mask # 7 - (o)thers/not-in-group part of mask $ umask -S # display the mask symbolically u=rwx,g=rwx,o= If fewer than 4 digits are entered, leading zeros are assumed. An error will result if the argument is not a valid octal number or if it has more than 4 digits.Note: Some programming languages require a prefix symbol in front of octal notation such as the digit 0, or the letters o or q. The command does not use this type of prefix notation – only the octal digits are used. The three rightmost octal digits address the "owner", "group" and "other" user classes respectively. If a fourth digit is present, the leftmost (high-order) digit addresses three additional attributes, the '' setuid bit'', the '' setgid bit'' and the '' sticky bit''.


Octal codes


Setting the mask using symbolic notation

When is invoked using symbolic notation, it will modify or set the flags as specified by the ''maskExpression'' with the syntax: Note that this syntax does not work when using the
C shell The C shell (csh or the improved version, tcsh) is a Unix shell created by Bill Joy while he was a graduate student at University of California, Berkeley in the late 1970s. It has been widely distributed, beginning with the 2BSD release of the ...
due to the different behaviour of its built-in command. Multiple ''maskExpressions'' are separated by commas. A space terminates the ''maskExpression''(s). The permissions are applied to different user classes: The ''operator'' specifies how the permission modes of the mask should be adjusted. The ''permission-symbols'' indicate which file permission settings are to be allowed or prohibited by the mask. For example: umask u-w Prohibit write permission from being set for the user. The rest of the flags in the mask are unchanged. Example of multiple changes: umask u-w,g=r,o+r This would set the mask so that it would: # prohibit the write permission from being set for the user, while leaving the rest of the flags unchanged; # allow the read permission to be enabled for the group, while prohibiting write and execute permission for the group; # allow the read permission to be enabled for others, while leaving the rest of the other flags unchanged.


Command line examples

Here are more examples of using the command to change the mask: Example showing effect of : $ umask -S # Show the (frequently initial) setting u=rwx,g=rx,o=rx $ gcc hello.c # compile and create executable file a.out $ ls -l a.out -rwxr-xr-x 1 me developer 6010 Jul 10 17:10 a.out $ # the umask prohibited Write permission for Group and Others $ ls > listOfMyFiles # output file created by redirection does not attempt to set eXecute $ ls -l listOfMyFiles -rw-r--r-- 1 me developer 6010 Jul 10 17:14 listOfMyFiles $ # the umask prohibited Write permission for Group and Others $ ############################################################ $ umask u-w # remove user write permission from umask $ umask -S u=rx,g=rx,o=rx $ ls > protectedListOfFiles $ ls -l protectedListOfFiles -r--r--r-- 1 me developer 6010 Jul 10 17:15 protectedListOfFiles $ rm protectedListOfFiles override r--r--r-- me/developer for protectedListOfFiles? $ # warning that protectedListOfFiles is not writable, answering Y will remove the file $ ##################################################################################### $ umask g-r,o-r # removed group read and other read from mask $ umask -S u=rx,g=x,o=x $ ls > secretListOfFiles $ ls -l secretListOfFiles -r-------- 1 me developer 6010 Jul 10 17:16 secretListOfFiles


Mask effect

The mask is applied whenever a file is created. If the mask has a bit set to "1", that means the corresponding file permission will always be ''disabled'' when files are subsequently created. A bit set to "0" in the mask means that the corresponding permission will be ''determined by the requesting process'' and the OS when files are subsequently created. In other words, the mask acts as a last-stage filter that strips away permissions as a file is created; each bit that is set to a "1" strips away that corresponding permission for the file.


How the mask is applied

Programmatically, the mask is applied by the OS by first negating (complementing) the mask, and then performing a logical AND with the requested file mode. In the robablyfirst UNIX manual to describe its function, the manual says,


Exceptions

Many operating systems do not allow a file to be created with execute permissions. In these environments, newly created files will always have execute permission disabled for all users. The mask is generally only applied to functions that create a new file; however, there are exceptions. For example, when using
UNIX Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and ot ...
and
GNU GNU () is an extensive collection of free software (383 packages as of January 2022), which can be used as an operating system or can be used in parts with other operating systems. The use of the completed GNU tools led to the family of operat ...
versions of to set the permissions of a file, and symbolic notation is used, and no user is specified, then the mask is applied to the requested permissions before they are applied to the file. For example: $ umask 0000 $ chmod +rwx filename $ ls -l filename -rwxrwxrwx filename $ umask 0022 $ chmod +rwx filename $ ls -l filename -rwxr-xr-x filename


Processes

Each
process A process is a series or set of activities that interact to produce a result; it may occur once-only or be recurrent or periodic. Things called a process include: Business and management * Business process, activities that produce a specific s ...
has its own mask, which is applied whenever the process creates a new file. When a shell, or any other process, spawns a new process, the child process inherits the mask from its parent process. When the process is a
shell Shell may refer to: Architecture and design * Shell (structure), a thin structure ** Concrete shell, a thin shell of concrete, usually with no interior columns or exterior buttresses ** Thin-shell structure Science Biology * Seashell, a hard o ...
, the mask is changed by the command. As with other processes, any process launched from the shell inherits that shell's mask.


Mount option

In the
Linux kernel The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU ope ...
, the fat, hfs, hpfs, ntfs, and udf
file system In computing, file system or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved. Without a file system, data placed in a storage medium would be one lar ...
drivers support a umask mount option, which controls how the disk information is mapped to permissions. This is not the same as the per-process mask described above, although the permissions are calculated in a similar way. Some of these file system drivers also support separate masks for files and directories, using mount options such as fmask.


See also

*
File system permissions Most file systems include attributes of files and directories that control the ability of users to read, change, navigate, and execute the contents of the file system. In some cases, menu options or functions may be made visible or hidden depending ...


References

{{Unix commands Unix SUS2008 utilities IBM i Qshell commands File system permissions