Ubuntu – “umask” and how does it work

permissionsumask

I believe that umask is something that controls file permissions, but do not fully understand it.

After running umask 0644 in a terminal, I cannot read the files I create with the command-line text editor nano. I noticed that the permissions of that file are set to 0022 instead of the default 0755.

How does umask work? I thought I could just remove the each digit in the umask from 0777, 7 - 6 = 1 and 7 - 4 = 3, so I expect the permissions to be 0133, but apparently, this is not the case.

  1. What is umask exactly? Explain it to me like I was a "Linux noob"
  2. How do I calculate with umask?
  3. What are use cases for umask?

Best Answer

The umask acts as a set of permissions that applications cannot set on files. It's a file mode creation mask for processes and cannot be set for directories itself. Most applications would not create files with execute permissions set, so they would have a default of 666, which is then modified by the umask.

As you have set the umask to remove the read/write bits for the owner and the read bits for others, a default such as 777 in applications would result in the file permissions being 133. This would mean that you (and others) could execute the file, and others would be able to write to it.

If you want to make files not be read/write/execute by anyone but the owner, you should use a umask like 077 to turn off those permissions for the group & others.

In contrast, a umask of 000 will make newly created directories readable, writable and descendible for everyone (the permissions will be 777). Such a umask is highly insecure and you should never set the umask to 000.

The default umask on Ubuntu was 022 which means that newly created files are readable by everyone, but only writable by the owner:

user@computer:~$ touch new-file-name
user@computer:~$ ls -dl new-file-name
-rw-r--r-- 1 user user 0 Apr  1 19:15 new-file-name

Starting in Ubuntu Oneiric (11.10) the default umask was relaxed to 002, which expands write-access to the owner's group:

user@computer:~$ touch new-file-name
user@computer:~$ ls -dl new-file-name
-rw-rw-r-- 1 user user 0 Apr  1 19:15 new-file-name

Viewing and modifying umask

To view your current umask setting, open a terminal and run the command:

umask

To change the umask setting of the current shell to something else, say 077, run:

umask 077

To test whether this setting works or not, you can create a new file (file permissions of an existing file won't be affected) and show information about the file, run:

user@computer:~$ touch new-file-name
user@computer:~$ ls -dl new-file-name
-rw------- 1 user user 0 Apr  1 19:14 new-file-name

The umask setting is inherited by processes started from the same shell. For example, start the text editor GEdit by executing gedit in the terminal and save a file using gedit. You'll notice that the newly created file is affected by the same umask setting as in the terminal.

Use case: multi-user system

If you are on a system that's shared by multiple users, it's desired that others cannot read files in your home directory. For that, a umask is very useful. Edit ~/.profile and add a new line with:

umask 007

You need to re-login for this umask change in ~/.profile to take effect. Next, you need to change existing file permissions of files in your home directory by removing the read, write and execute bit for the world. Open a terminal and execute:

chmod -R o-rwx ~

If you want this umask setting be applied to all users on the system, you could edit the system-wide profile file at /etc/profile.

Related Question