Setting your default file access mode with the umask command

Umask is a C-shell built-in command which allows you to determine or specify the default access (protection) mode for new files you create. (See the general help file on “unix/access protection 1 – chmod” for more information on access modes and how to change modes for existing files.) You may issue the umask command interactively at the command prompt to affect files created during the current session. More often, the umask command is placed in the .cshrc file to be executed automatically whenever a new C-shell is started, ensuring that the default is the same for each session.

Syntax for the umask command
The syntax for the umask command is

          umask [ value ]

where “value” is an octal number of up to three digits. If “value” is not specified, the umask command returns the current umask value. If an octal number shorter than three digits is specified, it is assumed to be padded with leading zeros; e.g., “77″ is equivalent to “077.” The scheme for determining what octal number produces which access mode (described below) is somewhat involved; however, the list of common access modes given below can probably help you avoid having to learn the scheme.

Umask settings for common access modes
The following examples show the effect on files and directories created under various umask values. In each of the two lists, values are listed in decreasing order of security. Unless you have a particular reason to allow others access to your files, the “077″ umask is recommended to provide reasonable protection for your files. Placing the line

          umask 077

in your .cshrc will cause all new files and directories to be created without access for group and others.

In the following examples, “user” refers to the creator or owner of the file or directory, “group” to the group associated with the file (you can determine this by using “ls -lg”), and “others” to anyone who is not the “user” or in the “group.”


     Value    Mode     Effect on FILES Created Under Value

      077  -rw-------  user can read and write file; no access

                       for group or others

      027  -rw-r-----  user can read and write file; group can

                       read; no access for others

      007  -rw-rw----  user can read and write file; group can

                       do the same; no access for others

      022  -rw-r--r--  user can read and write file; group can

                       read; others can read

      002  -rw-rw-r--  user can read and write file; group can

                       read and write; others can read



     Value    Mode     Effect on DIRECTORIES Created Under Value

      077  drwx------  user can read, write, list names of

                       files in the directory, and delete

                       files from the directory; no access

                       for group or others

      027  drwxr-x---  user can read, write, list names of

                       files in the directory, and delete

                       files from the directory; group can

                       read and list names of files; no

                       access for others

      007  drwxrwx---  user can read, write, list names of

                       files in the directory, and delete

                       files from the directory; group can

                       do the same as the user; no access

                       for others

      022  drwxr-xr-x  user can read, write, list names of

                       files in the directory, and delete

                       files from the directory; group can

                       read and list names of files; others

                       can read and list names of files

      002  drwxrwxr-x  user can read, write, list names of

                       files in the directory, and delete

                       files from the directory; group can

                       do the same as the user; others can

                       read and list names of files

How to determine the access mode produced by a given octal value
If you found your favorite in the list of common values above, you may want to skip the following explanation and proceed directly to the section on references. If not, read on.

The three-digit octal value returned by or specified for umask is a file creation mask. The first digit is associated with the user (creator of the file), the second with the group, and the third with others. This mask is XORed (eXclusive ORed) with the access mode 666 for files or 777 for directories to determine the access mode for newly created files and directories. The “execute” permission is associated with the value “1,” the “write” permission with “2,” and the “read” permission with “4.” These permission values are added together to create each octal digit. Since the mask is XORed with the octal number 666 or 777, which represent full permissions for user, group, and others (each digit in that order), the result is the opposite of what is represented by the mask; that is, the umask value specifies those access modes which are to be DENIED. For example, XORing the umask value of 077 (7=1+2+4: DENY no permissions for the user, DENY all permissions for the group and others) with 666 or 777 results in files and directories being created with the access mode: all permissions for the user and none for the group or others.

References
For further information, see the chmod help file. Also see the online manual pages for umask, chmod, and ls.