File and folder permissions in Linux are part of the POSIX standard. In this regard, a number of commands are available to us, such as chmod, chown, chgrp and umask. This article will walk you through the Linux umask command. This command sets the set of permissions that will be applied to files and directories when they are created.
The settings specified by the command will apply only to new files. This article will look at the Linux umask command, its main parameters, and how to use them in practice.
Access rights in Linux
Since the umask command is used to set up the default permissions, you must first figure out what permissions you have. As stated earlier, Linux follows the POSIX standards, making it a UNIX-compliant operating system. In general, UNIX permissions are divided into three categories:
- u (user) – user.
- g (group) – group.
- O (other) – other users.
Each category has three types of rights, and these rights differ for files and directories. For files:
- r (read) – read the file.
- w (write) – change the file.
- x (execute) – execute the file as a program.
- r (read) – read the list of files.
- w (write) – modify and create files in a directory.
- x (execute) – open files in a directory.
You can view the list of permissions with the command for files in any current directory with the following command:
You will see something like -rwxrw-r–, where the first character is used to designate folders and symbolic links, and subsequent characters can be divided into groups of three, for categories u, g and O respectively.
Everything is clear with files, but for directories, the parameters r and x may introduce some confusion. If you disable reading the list of files (r), then you will not be able to open the directory, but you can open and change the file if you know its name, creating new files is also available. If you prohibit opening files (x), then you will not be able to open the directory and read the files in it, but at the same time using the command ls you will get a list of files without any specifics in the form of permissions and file size.
By default, new files will have the rights -rw-rw-r–, where the first dash indicates that we have a file in front of us. For folders, the rights will look like this: drwxrwxr-x, where d says that we are dealing with a folder (l would mean a symbolic link).
Rights can be expressed not only in the form of a sequence of letters, but also in octal form, for example, for -rw-rw-r– the entry will look like this: 0664… The default permissions for a file in Linux in octal format are written as 0666, and for the directory 0777… In this case, 0 does not mean anything, and each digit means a set of rights for a specific group. First the owner, then the group, and then everyone else. But thanks to the mask in Linux, by default, the rights are set for the file 0664, and for the directory 0775… It is the setting of these values that the umask command influences. You can learn more about file permissions in our article.
How Umask works
The umask command sets the mask of rights for new files and directories. When creating any file, the operating system asks for a rights mask and calculates the mask based on it. The default is mask 0002, The first digit does not affect anything and is a relic of the C language syntax.
Further, the numbers are similar to the access rights in Linux: the first is the owner, the second is the group, and the third is everything else. This mask is used to calculate file permissions. If you do not go into details, then everything is calculated quite simply, the mask is taken away from the maximum rights and the rights for the file are obtained. In fact, it turns out that the mask contains permissions that will not be set for the file. Therefore, the default permissions for the file will be 666 – 002 = 664, and for a directory – 777 – 002 = 775.
Each digit of mask 002 can be converted to binary. The last 2 describes the category other and in binary it looks like 010… The bits are read from left to right and describe the rwx rights. In this example 1 means no write, and zeros allow read and execute. If there is a bit mask 100, you get 4 in the octal system, it means no reading.
It is important to note that the mask will not allow the execution of files. The x flag can be masked only for directories. Since file permissions are calculated based on permissions 666, in which execution is already disabled rw-rw-rw, the mask cannot do anything here. But for directories, everything works, because the rights 777 are used. For clarity, the default mask can be represented in the form of a table:
It should also be said that the command works within one terminal session and does not apply to the entire system and other sessions.
Syntax and Umask options
The umask command, as mentioned earlier, defines the bitmask that will be applied to new files. The command has a fairly simple syntax and only has a few options:
$ umask options mask_in_ octal_form
In addition to the mask in octal, there is also a way to set the default permissions, similar to the syntax of the chmod command:
$ umask options u =rights,g=rights,o=rights
- -p – print the umask command, which, when executed, will set the current mask in octal form;
- -S – display default permissions for a folder in the format u = rwx, g = rwx, o = rwx calculated by the current mask.
There are two ways to view the current value of the mask. If you pass the -p option to the command, it will issue a command to set the current mask:
Parameter -S outputs the current permissions in the format u = rwx, g = rwx, o = rxwhere x (execute) refers only to directories. Execution permission for files can only be granted with chmod.
Now let’s look at ways to set a mask:
As you can see, the fourth digit can be omitted. The mask can also be specified using more traditional notation:
In contrast to the bit mask, permissions are written in this way, not prohibitions. In other words, permissions are set in exactly the same way as in chmod. In this example, we have not specified any rights for the other category, so all three operations are prohibited. For files, as in the case of the bitmask, the execution permission is not granted.
Groups of rights can be combined, or you can set rights for all categories at once using the parameter a= (all).
It is also possible to work with individual rights. Operator + or – you can enable or disable a certain action, the rest of the bits in the mask will remain untouched.
Among other things, you can combine the two previous methods. For example, allow the user to perform all operations, and remove the read permission for the group and other users.
Let’s move on to the most interesting thing – using the command in practice. From the obvious, it is worth noting the addition of a command to a script. For example, you can prohibit changes to files that will be written in the future. Recall that the command will operate within one terminal session.
In this example, when executing the script, you must have a default mask, so the umask command is written.
Another use case is not as secure. The command is written in the user’s configuration files. You can change the mask for the terminal shell by adding a line with the umask command in the file ~/.bashsrc… This is true for Debian based distributions. Other distributions may need to edit the file .profile.
Global shell changes will take effect after adding a line to the file /etc/bash.bashsrc… But this mask has less weight than the one specified in the home directory. However, you can set only the necessary rights for the user, and leave the rest from the global configuration. For example, for a user, set the parameter g+w, which will allow him to modify the group files.
Changing the mask for all programs in the system is a non-trivial task that will require many changes. Therefore, instead, they use the local rights set by the command setfacl.
Comparison with chmod
The chmod and umask commands have three major differences. First, umask sets a mask for new files, and chmod sets permissions for existing ones. Second, if we talk about the mask, then umask has it inverse. If any bit in it is 1, then this means that the corresponding operation is prohibited. Third, umask cannot grant execute permission on the file. Even if you specify a mask 000, allowing everything, then the file will be assigned permissions rw-rw-rw-.
Of the general, it is worth noting a similar syntax for granting rights through operators =, +, –… Also, both commands are not able to change the owner and group, for this there are chown and chgrp… More complex rights management is done through the command setfacl, which allows you to set different rights for individual users, groups and directories, which extends the POSIX standard.
The Linux umask command allows you to set permissions for new files and directories. It will be useful if you want to set the rights in advance. But keep in mind that changes to the mask will apply only to the current terminal session, and also the fact that outside the terminal the command has practically no effect.