Setting your default file access mode with the umask command
Umask is a shell built-in command which allows you to determine or specify the default access (protection) mode for new files you create. (See the help page for chmod for more information on access modes and how to change modes for existing files.) You may issue the umask command interactively at the command prompt to affect files created during the current session. More often, the umask command is placed in the .bashrc file to be executed automatically whenever a new shell is started, ensuring that the default is the same for each session.
Syntax for the umask command
The syntax for the umask command is
umask [ value ]
where “value” is an octal number of up to three digits. If “value” is not specified, the umask command returns the current umask value. If an octal number shorter than three digits is specified, it is assumed to be padded with leading zeros; e.g., “77” is equivalent to “077.” The scheme for determining what octal number produces which access mode (described below) is somewhat involved; however, the list of common access modes given below can probably help you avoid having to learn the scheme.
Umask settings for common access modes
The following examples show the effect on files and directories created under various umask values. In each of the two lists, values are listed in decreasing order of security. Unless you have a particular reason to allow others access to your files, the “077” umask is recommended to provide reasonable protection for your files. Placing the line
umask 077
in your .cshrc will cause all new files and directories to be created without access for group and others.
In the following examples, “user” refers to the creator or owner of the file or directory, “group” to the group associated with the file (you can determine this by using “ls -lg”), and “others” to anyone who is not the “user” or in the “group.”
Value Mode Effect on FILES Created Under Value
077 -rw------- user can read and write file; no access
for group or others
027 -rw-r----- user can read and write file; group can
read; no access for others
007 -rw-rw---- user can read and write file; group can
do the same; no access for others
022 -rw-r--r-- user can read and write file; group can
read; others can read
002 -rw-rw-r-- user can read and write file; group can
read and write; others can read
Value Mode Effect on DIRECTORIES Created Under Value
077 drwx------ user can read, write, list names of
files in the directory, and delete
files from the directory; no access
for group or others
027 drwxr-x--- user can read, write, list names of
files in the directory, and delete
files from the directory; group can
read and list names of files; no
access for others
007 drwxrwx--- user can read, write, list names of
files in the directory, and delete
files from the directory; group can
do the same as the user; no access
for others
022 drwxr-xr-x user can read, write, list names of
files in the directory, and delete
files from the directory; group can
read and list names of files; others
can read and list names of files
002 drwxrwxr-x user can read, write, list names of
files in the directory, and delete
files from the directory; group can
do the same as the user; others can
read and list names of files
How to determine the access mode produced by a given octal value
If you found your favorite in the list of common values above, you may want to skip the following explanation and proceed directly to the section on references. If not, read on.
The three-digit octal value returned by or specified for umask is a file creation mask. The first digit is associated with the user (creator of the file), the second with the group, and the third with others. This mask is XORed (eXclusive ORed) with the access mode 666 for files or 777 for directories to determine the access mode for newly created files and directories. The “execute” permission is associated with the value “1,” the “write” permission with “2,” and the “read” permission with “4.” These permission values are added together to create each octal digit. Since the mask is XORed with the octal number 666 or 777, which represent full permissions for user, group, and others (each digit in that order), the result is the opposite of what is represented by the mask; that is, the umask value specifies those access modes which are to be DENIED. For example, XORing the umask value of 077 (7=1+2+4: DENY no permissions for the user, DENY all permissions for the group and others) with 666 or 777 results in files and directories being created with the access mode: all permissions for the user and none for the group or others.
References
For further information, see the chmod help file. Also see the online manual pages for umask, chmod, and ls.