Working with Default Permissions

Working with Default Permissions

You may have noticed as we’ve worked through exercises and examples in this book that whenever you create a new file or directory in the file system, a default set of permissions is automatically assigned without any intervention on your part.

By default, Linux assigns rw–rw–rw– (666) permissions to every file whenever it is created in the file system. It also assigns rwxrwxrwx (777) permissions to every directory created in the file system. However, these aren’t the permissions the files or directories actually end up with. Let’s take a look at an example.

Suppose ksanders was to create a new directory named revenue in her home directory and a file named projections.odt in the revenue directory. Based on what we just discussed, the revenue directory should have a mode of rwxrwxrwx and the projections.odt file should have a mode of rw–rw–rw–. However, this isn’t the case, as shown here:

ksanders@openSUSE:~> ls –l

total 44

drwxr-xr-x 2 ksanders users 4096 2011-03-10 16:43 bin

Notice that the revenue directory has a mode of rwxr–xr–x (755). This means the directory owner has read, write, and execute permissions to the directory. Group and Others have read and execute permissions to the directory. Likewise, notice that the projections.odt file has a mode of rw–r– –r– – (644). The Owner has read and write permissions, whereas Group and Other have only the read permission.

These aren’t the default permissions Linux is supposed to assign! Why did this happen? It’s because the default permissions are too liberal. Think about it. The default directory mode would allow anyone on the system to enter any directory and delete any files they wanted to! Likewise, the default file mode would allow any user on the system to modify a file you created. What a nightmare!

To increase the overall security of the system, Linux uses a variable called

Umask to automatically remove permissions from the default mode whenever a file or directory is created in the file system. The value of umask is a three-digit number, as shown next (ignoring the first 0):

openSUSE:~ # umask

0022

For most Linux distributions, the default value of umask is 022. Each digit represents a numeric permission value to be removed. The first digit references—you guessed it—Owner, the second references Group, and the last references Other. Because a 0 is listed for Owner, no permissions are removed from the default mode for a file or directory owner. However, because a 2 is listed for Group and Other, the write permission is removed from the default mode whenever a file or directory is created in the file system.

The default value of umask works for most Linux admins. However, there may be situations where you need to tighten up or loosen the permissions assigned when a file or directory is created in the file system. To do this, you can change the value assigned to umask.

This can be done in two ways. First, if you only need to make a temporary change to umask, you can enter umask value at the shell prompt. For example, if you wanted to remove the execute permission that is automatically assigned to Others whenever a new directory is created, you could enter umask 023. This would cause the write permission (2) to be removed from Group upon creation as well as write (2) and execute (1) from Others. This will effectively disallow anyone from entering the new directory except for the directory owner or members of the owning group.

This is shown here:

openSUSE:~ # umask 023

openSUSE:~ # umask

0023

openSUSE:~ # mkdir /home/ksanders/temp

openSUSE:~ # ls –l /home/ksanders

...

drwxr-xr-x 2 ksanders users  4096 Mar 10 16:43 bin

-rw-rw---- 1 ksanders users     0 Mar 18 08:02 contacts.odt

drwxr-xr-x 2 ksanders users  4096 Mar 10 16:43 public_html

drwxr-xr-x 2 ksanders users  4096 Mar 18 11:06 revenue

drwxr-xr-- 2 root     root   4096 Mar 18 11:14 temp

Notice that, because the value of umask was changed, the execute permission (x) was removed from Others in the mode when the temp directory was created.

This method for modifying umask works great; however, it isn’t persistent. If you were to restart the system, umask would revert to its original value. That’s because the value of umask is automatically set each time the system boots using the umask parameter in the /etc/profile file or the /etc/login.defs file, depending on your distribution.

If you want to make your change to umask permanent, simply edit the appropriate configuration file in a text editor and set the value of umask to your desired value.