what is umask?

umask defines what what access rights newly created files „are born“.

we are all supposed to be created equal – but depending if you are a son of Rothchild, Rockefeller or born in Namibia – your previleges and access to ressources might look pretty different.

how does umask operate?

x = execute = 1
w = write = 2
r = read = 4

these numbers can be added to:

xwr = 1+2+4 = 7 (all access rights, no restrictions)

umask is actually the „inverted“ version of file acces rights of newly created files.

it is the negative of the image.

so

umask 0777

will result in:

touch newfile;
ll
---------- 1 root root 0 May 24 13:19 newfile

exception:

umask 0000

why umask 0000 will not result in new files being created with rwxrwxrwx permissions, because many operating systems do not allow a file to be created with execute permissions (probably for security reasons).

In these environments, newly created files will always have execute permission disabled for all users. No matter the umask.

examples:

umask 0000; # no rights for anybody -> inverted -> all rights for everybody
# not! because exception: because of the "most OS do not allow new files to be marked executable" this does not work as expected
rm -rf newfile; touch newfile; ll;
-rw-rw-rw- 1 root root 0 May 24 13:28 newfile

umask 0111; # xxx
rm -rf newfile; touch newfile; ll;

-rw-rw-rw- 1 root root 0 May 24 13:22 newfile

umask 0222; # www
rm -rf newfile; touch newfile; ll;

-r--r--r-- 1 root root 0 May 24 13:22 newfile

umask 0333; # 1+2 = xw,xw,xw
rm -rf newfile; touch newfile; ll;
# because of the "most OS do not allow new files to be marked executable" this does not work as expected
-r--r--r-- 1 root root 0 May 24 13:24 newfile
umask 0444; # rrr
rm -rf newfile; touch newfile; ll;

--w--w--w- 1 root root 0 May 24 13:22 newfile

umask 0555; # 4+1 = xr,xr,xr
# because of the "most OS do not allow new files to be marked executable" this does not work as expected
rm -rf newfile; touch newfile; ll;
--w--w--w- 1 root root 0 May 24 13:25 newfile
umask 0666; # 4+2 = r + w -> rw,rw,rw
rm -rf newfile; touch newfile; ll;
# because of the "most OS do not allow new files to be marked executable" this does not work as expected
---------- 1 root root 0 May 24 13:27 newfile
umask 0777; # 4+2+1 = r + w  +x -> rwx,rwx,rwx
rm -rf newfile; touch newfile; ll;
# because of the "most OS do not allow new files to be marked executable" this does not work as expected
---------- 1 root root 0 May 24 13:27 newfile

make changs permanent – config file of umask

vim /etc/login.defs

#
# Login configuration initializations:
#
#       ERASECHAR       Terminal ERASE character ('\010' = backspace).
#       KILLCHAR        Terminal KILL character ('\025' = CTRL/U).
#       UMASK           Default "umask" value.
#
# The ERASECHAR and KILLCHAR are used only on System V machines.
#
# UMASK is the default umask value for pam_umask and is used by
# useradd and newusers to set the mode of the new home directories.
# 022 is the "historical" value in Debian for UMASK
# 027, or even 077, could be considered better for privacy
# There is no One True Answer here : each sysadmin must make up his/her
# mind.
#
# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
# for private user groups, i. e. the uid is the same as gid, and username is
# the same as the primary group name: for these, the user permissions will be
# used as group permissions, e. g. 022 will become 002.
#
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
ERASECHAR       0177
KILLCHAR        025
UMASK           022

from man bash:

umask [-p] [-S] [mode]

The user file-creation mask is set to mode.

If mode begins with a digit, it is interpreted as an octal number;

otherwise it is interpreted as a symbolic mode mask similar to that accepted by chmod(1).

If mode is omitted, the current value of the mask is printed.

The -S option causes the mask to be printed in symbolic form; the default output is an octal number. If the -p option is supplied, and mode is omitted, the output is in a form that may be reused as input. The return status is 0 if the mode was successfully changed or if no mode argument was supplied, and false otherwise.

admin