In this blog post, we will learn about umask, a concept that controls the default permissions of files and directories in Linux. We will see how umask works, how to change it, and how it affects the security and usability of our system.
What are permissions in Linux?
Before we dive into umask, we need to understand how permissions work in Linux. Permissions are a way of specifying who can access and modify files and directories on our system. There are three types of permissions: read, write, and execute. Read permission allows us to view the contents of a file or directory. Write permission allows us to modify the contents of a file or directory. Execute permission allows us to run a file as a program or script, or enter a directory.
Permissions are assigned to three categories of users: the owner, the group, and others. The owner is the user who created the file or directory, or who changed its ownership with the chown command. The group is a set of users who share some common characteristics, such as being members of the same department or project. The others category includes everyone else who is not the owner or a member of the group.
We can use the ls -l command to view the permissions of files and directories in a long format. For example, let’s look at the permissions of a file called hello.sh and a directory called mydir:
$ ls -l hello.sh mydir
-rwxr-xr-x 1 alice alice 28 Dec 14 09:45 hello.sh
drwxr-xr-x 2 alice alice 4096 Dec 14 09:46 mydir
The first character indicates the type of the entry: - for a file, d for a directory, l for a symbolic link, and so on. The next nine characters represent the permissions for the owner, the group, and others, in that order. Each set of three characters corresponds to the read, write, and execute permissions, respectively. A letter means the permission is set, and a dash means the permission is not set. For example, rwx means read, write, and execute permissions are set, while r-x means only read and execute permissions are set.
The next two columns show the owner and the group of the file or directory. The last two columns show the size and the modification time of the file or directory.
What is umask and how does it work?
When we create a new file or directory in Linux, the system assigns some default permissions to it. These default permissions depend on the umask value of the process that created the file or directory. The umask is a four-digit octal number that represents the permissions that are not given to the file or directory by default. In other words, the umask masks out the permissions that we do not want to grant.
To understand how the umask works, we need to know how to convert the permissions from the symbolic format (rwx) to the octal format (0-7). The octal format is a compact way of representing the permissions using a single digit for each set of permissions. The digit is calculated by adding the values of the read, write, and execute permissions, as shown in the following table:
| Permissions | Octal Value | Binary Value | Description |
|---|---|---|---|
| — | 0 | 000 | No permission |
| –x | 1 | 001 | Only permission to execute |
| -w- | 2 | 010 | Only permission to write |
| -wx | 3 | 011 | Permission to write and execute |
| r– | 4 | 100 | Only permission to read |
| r-x | 5 | 101 | Permission to read and execute |
| rw- | 6 | 110 | Permission to read and write |
| rwx | 7 | 111 | Permission to do all three, i.e. read, write and execute |
For example, the permissions rwxr-xr-x can be written as 755 in octal format, because rwx is 7, r-x is 5, and r-x is 5. Similarly, the permissions rw-rw-r-- can be written as 664 in octal format, because rw- is 6, rw- is 6, and r-- is 4.
The umask value is also a four-digit octal number, but the first digit is usually zero. The first digit is called the sticky bit, and it is a special security feature that we will not cover in this blog post. The next three digits represent the umask value for the owner, the group, and others, respectively. For example, a umask value of 0022 means that the owner has no permissions masked out, the group has write permission masked out, and others have write and execute permissions masked out.
To calculate the default permissions of a file or directory, we need to subtract the umask value from the base mode, which is the maximum permissions that a file or directory can have. The base mode for a file is usually 0666, which means read and write permissions for everyone. The base mode for a directory is usually 0777, which means read, write, and execute permissions for everyone. We can use the bitwise AND operation to perform the subtraction, as shown in the following example:
# Assume the umask value is 0022
# For a file, the base mode is 0666
# To get the default permissions, we do: 0666 & ~0022
# The ~ operator inverts the bits, so ~0022 becomes 7755
# The & operator performs a bitwise AND, so 0666 & 7755 becomes 0644
# The default permissions for a file are 0644, which means rw-r--r-- in symbolic format
# For a directory, the base mode is 0777
# To get the default permissions, we do: 0777 & ~0022
# The ~ operator inverts the bits, so ~0022 becomes 7755
# The & operator performs a bitwise AND, so 0777 & 7755 becomes 0755
# The default permissions for a directory are 0755, which means rwxr-xr-x in symbolic format
We can use the umask command to view or change the umask value of our current shell. Without any arguments, the umask command prints the current umask value in octal format:
$ umask
0022
We can also use the -S (symbolic) option to print the current umask value in symbolic format:
$ umask -S
u=rwx,g=rx,o=rx
This means that the user (owner) has read, write, and execute permissions, the group has read and execute permissions, and others have read and execute permissions. The permissions that are not shown are the ones that are masked out by the umask.
We can change the umask value by passing a new value as an argument to the umask command. The new value can be either in octal or symbolic format. For example, to set the umask value to 0027, which means that the group and others have write and execute permissions masked out, we can use either of the following commands:
$ umask 0027
$ umask u=rwx,g=r,o=r
We can verify that the umask value has changed by using the umask command again:
$ umask
0027
$ umask -S
u=rwx,g=r,o=r
Why is umask important?
The umask value affects the security and usability of our system, because it determines the default permissions of the files and directories that we create. If the umask value is too permissive, we may expose our files and directories to unauthorized access or modification by other users. If the umask value is too restrictive, we may prevent ourselves or other users from accessing or modifying the files and directories that we need.
The default umask value of 0022 is a reasonable choice for most cases, because it grants read and write permissions to the owner, and read permissions to the group and others. This means that the owner can fully control their own files and directories, while allowing other users to view them. However, there may be situations where we need to adjust the umask value according to our specific needs.
For example, if we are working on a collaborative project with other users, we may want to grant write permissions to the group, so that they can modify the files and directories that we create. In this case, we can set the umask value to 0002, which means that only others have write permission masked out. This will result in the default permissions of 0664 for files and 0775 for directories, which means rw-rw-r-- and rwxrwxr-x in symbolic format, respectively.
Comments
Post a Comment