Tuesday, December 11, 2012

Linux shell: understanding Umask with examples


In a GNU/Linux system every file or folder has some access permissions. There are three types of permissions (what allowed to do with a file of any kind, directory included):
(r)read access
(w)write access
(e)execute access
There are also other “special” permissions, but for this article the basic permissions will be enough to illustrate how umask works, and the permissions are defined for three types of users:
(U) the owner of the file
(G) the group that the owner belongs to
(O) All the other users
umask (user mask) is a command and a function in POSIX environments that sets the file mode creation mask of the current process which limits the permission modes for files and directories created by the process. A process may change the file mode creation mask with umask and the new value is inherited by child processes.
In practice with umask you can define the permissions of the new files that your process will create.

The user mask contains the octal values of the permissions you want to set for all the new files and to calculate the value of the umask subtract the value of the permissions you want to get from 666 (for a file) or 777 (for a directory).
The remainder is the value to use with the umask command.
For example, suppose you want to change the default mode for files to 664 (rw-rw-r–). The difference between 666 and 664 is 002, which is the value you would use as an argument to the umask command.
Or just use this handy table
umask Octal Value File Permissions Directory Permissions
0 rw- rwx
1 rw- rw-
2 r-- r-x
3 r-- r--
4 -w- -wx
5 -w- -w-
6 --x --x
7 --- (none) --- (none)
In this article I’ll show you in practice how to use umask to change the permissions of the new files:, so open a terminal and follow me in this small list of commands and examples

1) Check your permissions

Let’s create a file in /tmp
cd /tmp
touch firstfile
ls -l firstfile
You’ll have an output like this one:
-rw-r--r-- 1 root root 0 Dec  3 23:34 firstfile
That’s a default, as you can see, looking from the left, the user that has created the file (root for me) can read and write the file, the group (root) can only read it and all the others can read the file, that’s the standard umask with a value of 0022, to check the umask that you are using in a terminal you can issue the command umask without any argument.
root@myserv:/tmp# umask

2) Change the default umask

So now we know that the umask is 0022 that produces files with the -rw-r–r– permissions, but in many cases you want to give to your colleagues the write permission to directory and files that you create, so to calculate the new umask we translate the permissions -rw-rw-r– in their octal representation, that is: 664 and subtract this number from 666, the result is the umask you want to set in your shell:
umask 0002
cd /tmp
touch secondfile
ls -l secondfile
And this time you’ll get this output:
-rw-rw-r-- 1 root root 0 Dec  4 23:16 secondfile

3) Setup umask for process and daemons

Sometimes you have processes and daemons that create files, and you want to manage the permissions of these files, a typical example that comes to my mind is an apache httpd server that creates files with uploads or with some scripts and once they are created you want to modify these files with your username that shares the same group of apache, how to do it ?
In general you have to put the command umask in the script that is used to start the daemon or in files included in the start, so for apache this could be /etc/init.d/apache2 (debian) or much better in the environment file that is included, /etc/apache2/envvars (debian)
So you could set your umask in /etc/apache2/envvars :
# umask 002 to create files with 0664 and folders with 0775
umask 002
Restart your Apache :
/etc/init.d/apache2 restart
And now if you check the difference in your document root, you should see something like this :
ls -l *.txt
-rw-rw-r-- 1 www-data www-data  14 2012-12-01 18:58 test2.txt
-rw-r--r-- 1 www-data www-data  14 2012-12-01 18:55 test.txt

4) Setup Default umask for the whole system

So now you know how to change the umask in a working terminal, or session, but how to change it permanently ?
To change the umask for just an user the easiest way is to set the command umask NEWUMASK in the ~/.bashrc file of that user (assuming that he’s using bash) or in the equivalent file that is loaded at the start of his session by his shell.
To change the umask for all your users you have to change some system setting and these depends on your Linux Distribution:
Debian 6, Ubuntu and Mint

In Debian this can be handled with the help of a PAM modules, pam_umask is a PAM module to set the file mode creation mask of the current environment. The umask affects the default permissions assigned to newly created files, to enable/change these permissions edit the files:
And in each of these files add the line:
session    optional     pam_umask.so umask=0002
In this way all sessions will use the 0002 umask giving to the group the permission to write to files and directories.
Red Hat 6 and Centos 6

In these distributions the generic umask is wrote in the file /etc/bashrc, if you open it (as root) and you search for the word “umask” you’ll find something similar to these lines:
# By default, we want umask to get set. This sets it for non-login shell.
    # Current threshold for system reserved uid/gids is 200
    # You could check uidgid reservation validity in
    # /usr/share/doc/setup-*/uidgid file
    if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
       umask 002
       umask 022
These lines set an umask of 002 for all the username whose uid is greater than 199 and the group name is the same of the user name.
So to change the umask for everyone you could simply change all these lines in this line:
umask 002
Or any value that you need.

No comments:

Post a Comment