umask
This article needs additional citations for verification. (March 2017) |
function that sets the mask, or it may refer to the mask itself, which is formally known as the file mode creation mask. The mask is a grouping of bits , each of which restricts how its corresponding permission is set for newly created files. The bits in the mask may be changed by invoking the umask command.
OverviewIn Unix-like systems, each file has a set of attributes that control who can read, write or execute it. When a program creates a file, the file permissions are restricted by the mask. If the mask has a bit set to "1", then the corresponding initial file permission will be disabled. A bit set to "0" in the mask means that the corresponding permission will be determined by the program and the file system. In other words, the mask acts as a last-stage filter that strips away permissions as a file is created; each bit that is set to a "1" strips away its corresponding permission. Permissions may be changed later by users and programs using Each program (technically called a process) has its own mask and is able to change its settings using a function call. When the process is a shell, the mask is set with the The mask is stored as a group of bits. It may be represented as symbolic notation. The umask command allows the mask to be set as octal (e.g. 0754 ) or symbolic (e.g. u=,g=w,o=wx ) notation.
The POSIX.1 specification.
HistoryThe mask, the UNIX. The operating system evolved in a relatively small computer-center environment, where security was not an issue. It eventually grew to serve hundreds of users from different organizations. At first, developers made creation modes for key files more restrictive, especially for cases of actual security breaches, but this was not a general solution. The mask and the so it could allow sites, groups and individuals to choose their own defaults. The mask has since been implemented in most, if not all, of the contemporary implementations of Unix-like operating systems.
umask command were introduced around 1978, in the seventh edition of the operating system,[1]Shell commandIn a shell, the mask is set by using the umask [-S ] [maskExpression]
(The items within the brackets are optional.) Displaying the current maskIf the symbolic notation, depending on the OS.[3]
In most shells, but not the C shell , the -S argument (i.e. umask -S ) will instruct umask to display using symbolic notation. For example:
$ umask # display current value (as octal)
0022
$ umask -S # display current value symbolically
u=rwx,g=rx,o=rx
Setting the mask using octal notationIf the $ umask 007 # set the mask to 007
$ umask # display the mask (in octal)
0007 # 0 - special permissions (setuid | setgid | sticky )
# 0 - (u)ser/owner part of mask
# 0 - (g)roup part of mask
# 7 - (o)thers/not-in-group part of mask
$ umask -S # display the mask symbolically
u=rwx,g=rwx,o=
If fewer than 4 digits are entered, leading zeros are assumed. An error will result if the argument is not a valid octal number or if it has more than 4 digits. Octal codes
Setting the mask using symbolic notationWhen [user-class-letters] operator permission-symbols
Note that this syntax does not work when using the C shell due to the different behaviour of its built-in Multiple maskExpressions are separated by commas. A space terminates the maskExpression(s). The permissions are applied to different user classes:
The operator specifies how the permission modes of the mask should be adjusted.
The permission-symbols indicate which file permission settings are to be allowed or prohibited by the mask.
For example: umask u-w
Prohibit write permission from being set for the user. The rest of the flags in the mask are unchanged. Example of multiple changes: umask u-w,g=r,o+r
This would set the mask so that it would:
Command line examplesHere are more examples of using the
Example showing effect of $ umask -S # Show the (frequently initial) setting
u=rwx,g=rx,o=rx
$ gcc hello.c # compile and create executable file a.out
$ ls -l a.out
-rwxr-xr-x 1 me developer 6010 Jul 10 17:10 a.out
$ # the umask prohibited Write permission for Group and Others
$ ls > listOfMyFiles # output file created by redirection does not attempt to set eXecute
$ ls -l listOfMyFiles
-rw-r--r-- 1 me developer 6010 Jul 10 17:14 listOfMyFiles
$ # the umask prohibited Write permission for Group and Others
$ ############################################################
$ umask u-w # remove user write permission from umask
$ umask -S
u=rx,g=rx,o=rx
$ ls > protectedListOfFiles
$ ls -l protectedListOfFiles
-r--r--r-- 1 me developer 6010 Jul 10 17:15 protectedListOfFiles
$ rm protectedListOfFiles
override r--r--r-- me/developer for protectedListOfFiles?
$ # warning that protectedListOfFiles is not writable, answering Y will remove the file
$ #####################################################################################
$ umask g-r,o-r # removed group read and other read from mask
$ umask -S
u=rx,g=x,o=x
$ ls > secretListOfFiles
$ ls -l secretListOfFiles
-r-------- 1 me developer 6010 Jul 10 17:16 secretListOfFiles
Mask effectThe mask is applied whenever a file is created. If the mask has a bit set to "1", that means the corresponding file permission will always be disabled when files are subsequently created. A bit set to "0" in the mask means that the corresponding permission will be determined by the requesting process and the OS when files are subsequently created. In other words, the mask acts as a last-stage filter that strips away permissions as a file is created; each bit that is set to a "1" strips away that corresponding permission for the file.
How the mask is applied
Programmatically, the mask is applied by the OS by first negating (complementing) the mask, and then performing a logical AND with the requested file mode. In the [probably] first UNIX manual to describe its function,[6] the manual says,
ExceptionsMany operating systems do not allow a file to be created with execute permissions. In these environments, newly created files will always have execute permission disabled for all users. The mask is generally only applied to functions that create a new file; however, there are exceptions. For example, when using UNIX and GNU versions of chmod to set the permissions of a file, and symbolic notation is used, and no user is specified, then the mask is applied to the requested permissions before they are applied to the file. For example:
$ umask 0000
$ chmod +rwx filename
$ ls -l filename
-rwxrwxrwx filename
$ umask 0022
$ chmod +rwx filename
$ ls -l filename
-rwxr-xr-x filename
ProcessesEach process has its own mask, which is applied whenever the process creates a new file. When a shell, or any other process, spawns a new process, the child process inherits the mask from its parent process.[7] When the process is a shell, the mask is changed by the Mount optionIn the fmask .
See alsoThe Wikibook Guide to Unix has a page on the topic of: Commands
References
|
---|