6.4 The umask

The umask (Unix shorthand for "user file-creation mode mask") is a four-digit octal number that Unix uses to determine the file permission for newly created files. Every process has its own umask, inherited from its parent process.

The umask specifies the permissions you do not want given by default to newly created files and directories. By default, most Unix versions specify an octal mode of 666 (any user can read or write the file) when they create new files.^[13] Likewise, new programs are created with a mode of 777 (any user can read, write, or execute the program). The complement of the umask value (the bits that are not set in the umask) is combined with the default permissions using bitwise AND. That is, inside the kernel, the mode specified in the open call is masked with the value specified by the umask—thus its name.

^[13] We don't believe there is any religious significance to this, although we do believe that making files readable and writable by everyone leads to many evil deeds.

Normally, you or your system administrator set the umask in your .login, .cshrc, or .profile files, or in the system /etc/profile or /etc/cshrc file. For example, you may have a line that looks like this in one of your startup files:

# Set the user's umask
umask 033

When the umask is set in this manner, it should be set as one of the first commands. Anything executed prior to the umask command will have its prior, possibly unsafe, value.

Under SVR4 you can specify a default umask value in the /etc/defaults/login file. This umask is then given to every user that executes the login program. This method is a much better (and more reliable) means of setting the value for every user than setting the umask in the shell's startup files. Other Unix systems may offer similar functionality through other configuration files.

6.4.1 The umask Command

An interface to the umask function is a built-in command in the sh, ksh, and csh shell programs. (If umask were a separate program, then typing "umask" wouldn't change the umask value for the shell's process! See Appendix B if you are unsure why this scenario is so.) There is also a umask( ) system call for programs that wish to further change their umask.

The most common umask values are 022, 027, and 077. A umask value of 022 lets the owner both read and write all newly created files, but everybody else can only read them.

 0666               Default file-creation mode
 (0022)             Umask
___________________________________________________
 0644               Resultant mode

A umask value of 077 lets only the file's owner read all newly created files.

 0666                 Default file-creation mode
 (0077)               Umask
____________________________________________________
 0600                 Resultant mode

A simple way to calculate umask values is to remember that the number 2 in the umask turns off write permission, while 7 turns off read, write, and execute permissions.

A umask value of 002 is commonly used by people who are working on group projects. If you create a file with your umask set to 002, anyone in the file's group will be able to read or modify the file. Everybody else will only be allowed to read it.

 0666                  Default file-creation mode
 (0002)                Umask
______________________________________________________
 0664                  Resultant mode

If you use the Korn shell, ksh, then you can set your umask symbolically. You do this with the same general syntax as the chmod command. In the ksh, the following two commands would be equivalent:

% umask u=rwx,g=x,o=
% umask 067

6.4.2 Common umask Values

On many Unix systems, the default umask is 022. This is inherited from the init process, as all processes are descendants of init (see Appendix B). Some systems may be configured to use another umask value, or a different value may be set in the startup files.

The designers of these systems chose this umask value to foster sharing, an open computing environment, and cooperation among users. Most prototype user accounts shipped with Unix operating systems specify 022 as the default umask, and many computer centers use this umask when they set up new accounts. Unfortunately, system administrators frequently do not make a point of explaining the umask to novice users, and many users are not aware that most of the files they create are readable by every other user on the system.

Another approach is to set up new accounts with a umask of 077, so a user's files will, by default, be unreadable by anyone else on the system unless the user makes a conscious choice to make them readable.

Table 6-13 shows some common umask values and their effects.