How to Control the default permissions of new files created by users using "umask"
Default File Permissions
When you create a new ﬁle or directory, it is assigned initial permissions. There are two things that affect these initial permissions. The ﬁrst is whether you are creating a regular ﬁle or a directory. The second is the current umask.
If you create a new directory, the operating system starts by assigning it octal permissions 0777 (drwxrwxrwx). If you create a new regular ﬁle, the operating system assigns it octal permissions 0666 (-rw-rw-rw-). You always have to explicitly add execute permission to a regular ﬁle. This makes it harder for an attacker to compromise a network service so that it creates a new ﬁle and immediately executes it as a program.
However, the shell session will also set a umask to further restrict the permissions that are initially set. This is an octal bitmask used to clear the permissions of new ﬁles and directories created by a process. If a bit is set in the umask, then the corresponding permission is cleared on new ﬁles. For example, the umask 0002 clears the write bit for other users. The leading zeros indicate the special, user, and group permissions are not cleared. A umask of 0077 clears all the group and other permissions of newly created ﬁles.
The umask command without arguments will display the current value of the shell’s umask:
[[email protected] ~]$ umask 0002
Use the umask command with a single numeric argument to change the umask of the current shell. The numeric argument should be an octal value corresponding to the new umask value. You can omit any leading zeros in the umask.
The system’s default umask values for Bash shell users are deﬁned in the /etc/profile and /etc/bashrc ﬁles. Users can override the system defaults in the .bash_profile and .bashrc ﬁles in their home directories.
The following example explains how the umask affects the permissions of ﬁles and directories. Look at the default umask permissions for both ﬁles and directories in the current shell. The owner and group both have read and write permission on ﬁles, and other is set to read. The owner and group both have read, write, and execute permissions on directories. The only permission for other is read.
[[email protected] ~]$ umask 0002 [[email protected] ~]$ touch default [[email protected] ~]$ ls -l default.txt -rw-rw-r--. 1 user user 0 May 9 01:54 default.txt [[email protected] ~]$ mkdir default [[email protected] ~]$ ls -ld default drwxrwxr-x. 2 user user 0 May 9 01:54 default
By setting the umask value to 0, the ﬁle permissions for other change from read to read and write. The directory permissions for other changes from read and execute to read, write, and execute.
[[email protected] ~]$ umask 0 [[email protected] ~]$ touch zero.txt [[email protected] ~]$ ls -l zero.txt -rw-rw-rw-. 1 user user 0 May 9 01:54 zero.txt [[email protected] ~]$ mkdir zero [[email protected] ~]$ ls -ld zero drwxrwxrwx. 2 user user 0 May 9 01:54 zero
To mask all ﬁle and directory permissions for other, set the umask value to 007.
[[email protected] ~]$ umask 007 [[email protected] ~]$ touch seven.txt [[email protected] ~]$ ls -l seven.txt -rw-rw----. 1 user user 0 May 9 01:55 seven.txt [[email protected] ~]$ mkdir seven [[email protected] ~]$ ls -ld seven drwxrwx---. 2 user user 0 May 9 01:54 seven
A umask of 027 ensures that new ﬁles have read and write permissions for user and read permission for group. New directories have read and write access for group and no permissions for other.
[[email protected] ~]$ umask 027 [[email protected] ~]$ touch two-seven.txt [[email protected] ~]$ ls -l two-seven.txt -rw-r-----. 1 user user 0 May 9 01:55 two-seven.txt [[email protected] ~]$ mkdir two-seven [[email protected] ~]$ ls -ld two-seven drwxr-x---. 2 user user 0 May 9 01:54 two-seven
The default umask for users is set by the shell startup scripts. By default, if your account’s UID is 200 or more and your username and primary group name are the same, you will be assigned a umask of 002. Otherwise, your umask will be 022. As root, you can change this by adding a shell startup script named /etc/profile.d/localumask.sh that looks something like the output in this example:
[[email protected] ~]# cat /etc/profile.d/local-umask.sh # Overrides default umask configuration if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then umask 007 else umask 022 fi
The preceding example will set the umask to 007 for users with a UID greater than 199 and with a username and primary group name that match and to 022 for everyone else. If you just wanted to set the umask for everyone to 022, you could create that ﬁle with just the following content:
# Overrides default umask configuration umask 022
To ensure that global umask changes take effect you must log out of the shell and log back in. Until that time the umask conﬁgured in the current shell is still in effect.