How to Default File/Directory Permissions using "umask"
Every new file or directory has a set of default permissions assigned to it at the time of creation. The user mask affects the default file permissions assigned to the file or directory. You can set the user mask by using the umask command in a user initialization file. You can modify the default permissions set at the time of creation, using the umask utility.
The umask Utility
The umask utility affects the initial permissions for files and directories when the files and directories are created. The umask utility is a three-digit octal value that is associated with the read, write, and execute permissions. The first digit determines the default permissions for the owner, the second digit determines the default permissions for the group, and the third digit determines the default permissions for other.
In the Solaris OS, the default umask value is 022. To view the umask value, perform the umask command:
$ umask
022
$
The Solaris OS assigns initial permission values automatically when files and directories are created. The initial permission value specified by the system at the time of file creation is 666 (rw-rw-rw-).
The initial permission value specified by the system for a directory at the time of its creation is 777 (rwxrwxrwx). To determine the umask value you want to set, remove the value of the permissions you want from 666 (for a file) or 777 (for a directory). The remainder is the value to use with the umask command. For example, suppose you want to change the default mode for files to 644 (rw-r–r–). The difference between 666 and 644 is 022, which is the value you would use as an argument to the umask command.
The table below shows the file and directory permissions that are created for each of the umask octal values. You can also determine the umask value you want to set by using these values.
umask Octal Value | File Permissions | Directory Permissions |
---|---|---|
0 | rw- | rwx |
1 | rw- | rw- |
2 | r– | r-x |
3 | r– | r– |
4 | -w- | -wx |
5 | -w- | -w- |
6 | — | –x |
7 | — | — (none) |
To set the default file permissions in a user initialization file to rw-rw-rw-, perform the following command:
$ umask 000
Applying the umask Utility
You can calculate the default permissions for new files and directories by applying the umask value to the initial value specified by the system in the octal mode. For example, the initial permissions for a new file in the symbolic mode are as follows:
rw-rw-rw-
This set of permissions corresponds to read-write access for the owner, group, and other. This value is represented in the octal mode
420420420 or 666
Use the default umask value of 022 to mask out the write permission for the group and other. The result in the octal mode is:
420400400 or 644
The result in the symbolic mode is derived, as shown in Tables below File and Directory Permissions for the group and other.
Permission Field | Description |
---|---|
rw-rw-rw- | Initial value specified by the system for a new file |
—-w–w- | Default umask utility value to be removed |
rw-r–r– | Default permissions assigned to newly created files |
When you mask out certain permissions from the initial value, the default permissions assigned to the new files remain. All newly created files are assigned read and write access for the owner, and read access for the group and other. You can apply this same process to determine the default permissions when you create new directories. For directories, the initial value specified by the system is:
rwxrwxrwx
This corresponds to read, write, and execute access for the owner, group, and other. This value is represented in octal mode as:
421421421 or 777
Use the default umask value of 022 to mask out the write permission for the group and other. The result in the octal mode is:
421401401 or 755
The result in the symbolic mode is derived as shown in Table below.
Permission Field | Description |
---|---|
rwxrwxrwx | Initial value specified by the system for a new directory |
—-w–w- | Default umask utility value to be removed |
rwxr-xr-x | Default permissions set for newly created directories |
When you mask out certain permissions from the initial value, the default permissions assigned to the new directories remain. All newly created directories are assigned read, write, and execute access for the owner, and read and execute access for the group and other.
Changing the umask Value
Some users require a more secure umask value of 027, which assigns the following access permissions to newly-created files and directories.
- Files have read and write permissions for the owner, read permission for the group, and no permissions for other. rw-r—–
- Directories have read, write, and execute permissions for the owner, read and execute permissions for the group, and no permissions for other. rwxr-x—
You can change the umask value to a new value on the command line. For example, to change the umask value to 027 and verify the new value, perform the command:
$ umask 027
$ umask
027
$
The new umask value affects only those files and directories that are created from this point forward. However, if the user logs out of the system, the new value (027) is replaced by the old value (022) on subsequent logins because the umask value was changed by using the command line.