SUMMARY: Setting correct umask

From: Ricardo Ferraro G. da Silva (rferraro@ci.rnp.br)
Date: Fri May 16 1997 - 09:55:58 CDT


Hi folks,

Thanks for all responses:

Rich Pieri <rich.pieri@prescienttech.com>
Steve Franks <scf@nabaus.com.au>
Michael Sullivan <mike@trdlnk.com>
Stephen Harris <sweh@mpn.com>
Glenn Satchell - Uniq Professional Services <Glenn.Satchell@uniq.com.au>
Casper Dik <casper@holland.Sun.COM>
Brian White <white@erim.org>
Tom Henning <tom@waldtsvr.ksc.nasa.gov>

 All of them were very insightful and didatic to me.

Best regards for all, Ricardo Ferraro.

________________________________________________________________

Date: 15 May 1997 21:20:01 -0400
From: Rich Pieri <rich.pieri@prescienttech.com>
To: "Ricardo Ferraro G. da Silva" <rferraro@ci.rnp.br>
Subject: Re: Setting correct umask

-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "RFGdS" == Ricardo Ferraro G da Silva <rferraro@ci.rnp.br> writes:

RFGdS> I am trying to set any new file to permission 755. When I put
RFGdS> "umask 022" in .cshrc I get permission 644 instead of 755. When I
RFGdS> put "umask 000" I get permission 666 for the new files. This happens
RFGdS> for a normal user belonging to groupid 3000 or if I am superuser.

Right. It is a security "feature". Under modern Unixes, umask cannot be
used to set execute permissions on files, only directories where execute is
synonymous with "searchable".

RFGdS> Everywhere (books or man pages) I even see people talking that the
RFGdS> "default permission" is 777.

They are wrong. 777 is "global" read, write, and execute permission,
something you do not generally want to happen.

-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
Charset: noconv

iQCVAwUBM3u2PJ6VRH7BJMxHAQGMrwP/R4l2N5+/YhpJ/WP8Opj9aCN5MNIOl9QV
7sm9apWkcAjUrm+KLmQIM7rJ9mxMB715t+gPRcTLUtjzQ9WLodFEfpNFN2cymM9q
dJtVPZWjD0HAZ25q/+CME0tKAuG3lR1B3QVCGtL6qBUZjl6nvYkeCcRdQNbHiizR
PFX9Y2pRZdQ=
=iJrA
-----END PGP SIGNATURE-----

________________________________________________________________

Date: Fri, 16 May 1997 13:30:23 +1000
From: Steve Franks <scf@nabaus.com.au>
To: "Ricardo Ferraro G. da Silva" <rferraro@ci.rnp.br>
Subject: Re: Setting correct umask

Ricardo,
defaults are 777 for directories & 666 for files. Each digit corresponds
to the permissions for user, group & other respectively.

The umask is subtracted from 777 / 666 to give the permission set.

So, if I have a umask 022, 666-022 leaves 644. As r=4, w=2, x=1,
644 is user rwx (4+2+1) group r-- (4) others r-- (4).

For a directory, 777-022 leaves 755 which translates to rwxr-xr-x
A value of 7 equates to rwx on a directory even though the rwx
permissions themselves add to 6. In general, a directory will need a
little more permission freedom than a file eg, to execute a file in a
directory you must first be able to read it. The default of 777 allows
you to get that slightly freer permission set.

You cannot get a permission set of 7 for any user on any file or
directory. If the result of applying the umask is 7 then the system
will apply permission set of 6.

Hope this clarifies things for you.

Regards,
Steve

________________________________________________________________

Date: Fri, 16 May 1997 00:30:04 -0500
From: Michael Sullivan <mike@trdlnk.com>
To: rferraro@ci.rnp.br
Subject: Re: Setting correct umask

There is no such thing as a "default permission" in UNIX. The umask
is, as the name implies, merely a mask. Bits set in the umask value
are cleared from the mode value passed to the open and creat system
calls, which are the means by which all regular files are created.
Unless the program creating the file intends it to be executable, it
will not set the executable mode bits in the mode value it passes to
those system calls. Since the umask value can only clear mode bits, not
set them, there is no way using the umask to add to the permissions
with which a file is created; you can only subtract permissions.

If you want a particular program to create executable files, you could
modify that program to pass an appropriate mode value including the
executable permissions to the open or creat system call, but this is
generally a bad idea, and not done, even by programs that do generate
executables, because then the new file is subject to inadvertent execution
before it is fully written, with unpredictable results. Instead, most
such programs create the file without executable permissions, and only
after the file has been fully written do they change its mode (e.g.
with the chmod system call, or corresponding command) to add the
desired executable permissions.

________________________________________________________________

Date: Fri, 16 May 1997 07:19:19 +0100 (BST)
From: Stephen Harris <sweh@mpn.com>
To: rferraro@ci.rnp.br
Subject: Re: Setting correct umask

When you create a *file* then the "open()" call has a mask in the call.
For normal shell redirects this mask is 0666. This is then modify by the
umask. Thus a file is not possible to be mode 0777 using normal shell
commands
  eg echo test > filename
    will do open("filename",....,0666)

You can't change this. In your own C (or Perl) programs you can change
it, but not in the shell.

Check out the archives for other answers to this question.
    
________________________________________________________________

Date: Fri, 16 May 1997 09:40:57 +1000 (EST)
From: Glenn Satchell - Uniq Professional Services
     <Glenn.Satchell@uniq.com.au>
To: rferraro@ci.rnp.br
Subject: Re: Setting correct umask

The difference between 777 and 666 is that the execute bit is
set for all users. When you create a file the execute bit is not
set automatically (the compiler is an exception and will set th
eexecute bit on the compiled program). If you're creating shell
scripts then you need to manually set the execute bits (the 'x'
in a ls -l listing).

So umask 022 is the right value to get read and write for the
owner and read for all others. You then need to do chmod +x
'files' to set the execute bits.

regards,

--
Glenn Satchell   glenn@uniq.com.au    www.uniq.com.au  | Windows:
Uniq Professional Services Pty Ltd    ACN 056 279 335  | 
PO Box 70, Paddington,  NSW 2021,  (Sydney) Australia  | Just another pane
Phone 02 9380 6360 Pager 016 287 000 Fax 02 9380 6416  | in the glass...
      VISIT OUR WEB SITE http://www.uniq.com.au

________________________________________________________________

Date: Fri, 16 May 1997 09:58:25 +0200 From: Casper Dik <casper@holland.Sun.COM> To: "Ricardo Ferraro G. da Silva" <rferraro@ci.rnp.br> Subject: Re: Setting correct umask

>Dear managers, > > Sorry for this simple problem, but I couldn't find yet, any reference in >books or man pages' that could help. > > I am trying to set any new file to permission 755. When I put "umask 022" >in .cshrc I get permission 644 instead of 755. When I put "umask 000" I >get permission 666 for the new files. This happens for a normal user >belonging to groupid 3000 or if I am superuser. > > Everywhere (books or man pages) I even see people talking that the >"default permission" is 777.

That's not quite correct; there is no default permission. All applications specify a permission flag when opening a file for creation, either with creat(file, 0xxx) or open(file, O_CREAT |...., 0xxx).

This value is and'ed with ~umask to give the effective permissions.

Typically, programs dont' create executable and use mode 0666 when creating a file (fopen() also does that).

mkdir(), otoh, is most often called with 0777, as directories do need to execute bit set to be usable.

Typically, programs like ld will turn on the execute bit when they make an executable.

> How can I discover the real "default permission", and how can I change >the actual 666 permission to 777 ?

You can't; this is hardcoded in applications and libraries.

Typically, this is a good thing as you don't normally create executables with editors and such.

why do you want all files to have execute permission?

Casper

________________________________________________________________

Date: Fri, 16 May 1997 08:14:58 -0400 From: Brian White <white@erim.org> To: "Ricardo Ferraro G. da Silva" <rferraro@ci.rnp.br> Subject: Re: Setting correct umask

Hi,

If you set your umask to 022 and then touch a file, it will have permission 644. When you create a file, Solaris does not make it executable by default. Now, once you've set your umask and you copy in a file that was already executable, the permissions will be 755. I think I understand what you're trying to do, but I don't think you really want every file you create to be executable. That could get very confusing. Anyway, that's my 2 cents.

Hope it helped.

Brian White white@erim-int.com ERIM International, Inc Ann Arbor, MI

________________________________________________________________

Date: Fri, 16 May 1997 09:04:53 -0400 (EDT) From: Tom Henning <tom@waldtsvr.ksc.nasa.gov> To: rferraro@ci.rnp.br Subject: Re: Setting correct umask

> > Dear managers, > > Sorry for this simple problem, but I couldn't find yet, any reference in > books or man pages' that could help. > <snip> I could not find this in the manual pages, but it sticks in memory that the default permissions given newly created files is 666 and the default permissions for newly created directories is 777. This would explain why you could not get new files to be created with 755 permissions, since umask only subtracts permission bits.

Try this:

umask 0 touch /tmp/new_file mkdir /tmp/new_dir ls -ld /tmp/new_*

On my system, the file lists with 666 permissions and the directory lists with 777 permissions.

This is supposed to be a security related feature. No file is ever created, by default, runnable. Execute permissions have the be explicitly turned on.

YMMV

Good Luck! ________________________________________________________________



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:55 CDT