Ubuntu Demon\’s blog

October 24, 2007

Default umask

Filed under: english — ubuntudemon @ 10:55 pm

This is a respons to Aaron Toponce’s blog post about a better default for umask.

The most secure umask is 077 which will give newly created files the default permissions of rw——- and will give newly created directories the default permissions of rwx——. If a user needs a file to be readable for others he can simply change the permissions of such a file. This assumes a user understands how to change the permissions of a file.

The easiest umask for new users is 022 which will give newly created files the default permissions of rw-r–r– and will give newly created directories the default permissions of rwxr-xr-x. This umask is easier for the user because the user doesn’t have to play with permissions to make a file available for reading to others. This assumes a user understands his files can be read by other users so he needs to trust his fellow users.

The most sensible umask for new users is 022 while the most sensible umask for experienced users is 077. Experienced users are likely to be able to change permissions of files and are likely to be able to change the default umask. Ubuntu attracts all kinds of users including users without any experience with Linux. Ubuntu should care about new users which is why in my humble opinion the default umask for Ubuntu should be 022 (which it is). Since Debian users are more likely to be experienced users the default umask for Debian should be 077 in my humble opinion.

In my humble opinion experienced users should change the default umask to 077. You can change the system-wide default umask in /etc/profile. Users can override the system-wide default umask in their ~/.bash_profile

About these ads

14 Comments »

  1. Already did ;)
    I don’t like that others people can read my files.

    Comment by JCabillot — October 25, 2007 @ 5:40 am

  2. I agree. So, having fixed your umask, what is the easiest way to get the permissions on all existing dir’s, sub-dir’s and files in a users home folder to match? The permissions for dir’s and files are different, so it requires more than a simple recursive chmod. Any ideas?

    Comment by Simon Hepburn — October 25, 2007 @ 7:44 am

  3. I thought that 066 == — rw rw? (owner, group, everyone)

    ?

    Comment by Kirrus — October 25, 2007 @ 8:27 am

  4. No, the better umask for experienced users would be 077 — otherwise the +x bits might get enabled on create ;)

    Also, I consider myself an experienced user, but I’ve never had to change my umask from the default..

    Comment by Martijn — October 25, 2007 @ 11:27 am

  5. Ah yes, well spotted.

    $ umask 066
    $ mkdir foo
    $ touch bar
    $ ls -l
    total 4
    -rw——- 1 simon simon 0 2007-10-25 13:24 bar
    drwx–x–x 2 simon simon 4096 2007-10-25 13:24 foo

    $ umask 077
    $ mkdir foo
    $ rmdir foo
    $ ls -l
    total 4
    -rw——- 1 simon simon 0 2007-10-25 13:26 bar
    drwx—— 2 simon simon 4096 2007-10-25 13:26 foo

    The answer my own question:

    https://help.ubuntu.com/community/FilePermissions#head-c00c1452f10a2edc442f3b84e8bef4ce6e8b2b41

    Comment by Simon Hepburn — October 25, 2007 @ 12:41 pm

  6. Whoops, snipped the wrong line in the 2nd example, should be touch bar not rmdir foo obviously. A wider text entry box for comments would be nice ubuntudemon!

    Comment by Simon Hepburn — October 25, 2007 @ 12:50 pm

  7. we always change the umask settings on terminal servers. But keep in mind that gnome doesn’t use /etc/profile. We always set the umask somewhere in /etc/X11/Xsession.d to achieve this.

    Comment by Herman Bos — October 25, 2007 @ 1:08 pm

  8. Yeah, obviously you mean 077. But really that’s just annoying. It always gets in the way of sharing files, whether for apache or samba or just to other local users on the system.

    On some systems, it’s approprate for the admin to enable this (for example, in a University context where students shouldn’t be able to other students’ projects/work by default), but in general, it’s just annoying.

    Apps that save sensitive data (passwords, ssh/gpg keys) should make sure to set permissions those files and directories appropriately, of course.

    Of course it makes little to no difference if there’s just one account on your system.

    Comment by Michael R. Head — October 25, 2007 @ 3:28 pm

  9. umask works differently than normal permissions because it works as a mask. See : http://en.wikipedia.org/wiki/Umask

    http://nmlug.org/faqs/umask.txt

    I made a small mistake. umask 077 is obviously the most secure umask.

    For normal files umask 077 is the same as umask 066. For directories umask 077 means rwx—— and umask 066 means rwx–x–x

    To remove all permissions (read,write and execute) for all your files do :

    $cd /home
    $chmod -R g-x,g-r,g-w,o-r,o-w,o-x myusername

    Comment by ubuntudemon — October 25, 2007 @ 5:18 pm

  10. to Herman Bos :

    IMHO the reason gnome doesn’t use the /etc/profile umask is this bug :

    https://bugs.launchpad.net/bugs/+bugs?field.searchtext=umask+gdm

    Comment by ubuntudemon — October 25, 2007 @ 5:26 pm

  11. to Herman Bos:

    nautilus does respect my umask (either from /etc/profile or from ~/.bash_profile) in Ubuntu Gutsy

    Comment by ubuntudemon — October 25, 2007 @ 5:29 pm

  12. Thanks for the explanation/link ^^

    Comment by Kirrus — October 29, 2007 @ 10:58 am

  13. To change your umask setting The file you have to edit is ~/.bashrc not ~/.bash_profile

    Comment by Steve — September 6, 2008 @ 11:18 pm

  14. (sorry, should have said that is in Ubuntu 8.04.1). Other distns may be different

    Comment by Steve — September 6, 2008 @ 11:23 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Silver is the New Black Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: