akonstam@xxxxxxxxxxx wrote:
On Tue, Aug 23, 2005 at 11:37:30AM -0500, Jay Paulson wrote:
I have been messing around with file permissions on my SuSE box and
found that the umask needs to be changed in order for files that are
created in a directory to have group writable permission on them,
otherwise they are set to not writable for the group. However, in my
search to find an explanation of how umask works with all the different
ways you can set it (022, 002, 0022, 0002, and more I'm sure) I haven't
found anything that really explain what it does. Therefore, I'm a
little bit lost on what to do.
Can anyone point me to a good resource for umask?
When you set the umask can you set it for a certain directory and it's
sub directories or is it system wide?
Are there any security risks for setting the umask to 002? (Whatever
that actually does :-] )
Thanks for any help!
jay
umask is part of the shell. The umask says that the maximum
permission that a file created in a directory can have is the 8s
compliment of the umask argument.
Examples: umask 000 -> file can have any permissions up to 777
umask 022 -> files can not be more secure than 755 or
if you don't do anything special the files
will be 755.
That should be "...files can not be more _permissive_ than 755...".
Technically, the desired permissions are ANDed with the one's complement
of the umask. The easier way to think of it is to subtract the umask
from the permissions you're trying to set up.
-- Now if the argument has four digits such as 0022 as far as I can
tell that has to be 0. There once was a use for it but it seems to
have evaporated. I am not certain about this
In the four-digit thing, the first digit is for the SUID (set user ID,
value 4), SGID (set group ID, value 2) and "sticky" (keep executable
image in memory if possible, value 1) bits. You can't set the first
digit in umask, but you can in chmod.
Let me restate this using the words of Unix System Administrators
Handbook By E. Nemeth , et al
The umask argument is a 3 digit octal code that represents the
permissions to take away. 022 takes the w permission away from group
and world. When a file is created the permissions are set to whatever
the creating permissions asks for minus whatever umask forbids.
Maybe this is a clearer way to explain this.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens@xxxxxxxxxxxxxxx -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- Fear is finding a ".vbs" script in your Inbox -
----------------------------------------------------------------------
