6.2 Controlling New File Permissions and Ownerships

The umask acts as a set of permissions that applications cannot set on files. It’s a file mode creation mask for processes and cannot be set for directories itself. Most applications would not create files with execute permissions set, so they would have a default of 666, which is then modified by the umask.

As you have set the umask to remove the read/write bits for the owner and the read bits for others, a default such as 777 in applications would result in the file permissions being 133. This would mean that you (and others) could execute the file, and others would be able to write to it.

If you want to make files not to be read/written/executed by anyone but the owner, you should use an umask like 077 to turn off those permissions for the group & others.

In contrast, an umask of 000 will make newly created directories readable, writable and descendible for everyone (the permissions will be 777). Such an umask is highly insecure and you should never set the umask to 000.

Controlling File Permission and Ownership

We will create default permissions on the new files using the umask commands and setgid permissions.

Creating a shared directory where new files are automaticlly owned by the group who ownes the directory.

Start from your machine as root The following users must exist and have password greater

  • Rick

  • Morty

  • Summer

Newfile Ownership is setup with the sticky-bit.

First let’s create the folder citadel

mkdir /shared/citadel

Change the user ownership to summer and group ownership to science

chown summer:science /shared/citadel

Result looks like this:

[root@rhcsa shared]# ll
total 0
drwxr-xr-x. 2 summer science 6 Dec 28 14:29 citadel

Move into the folder

cd /shared/citadel

Let’s try and create a file

touch test1

And check what the permissions are

ls -l
ll

Output should look like this:

[root@rhcsa citadel]# ll
total 0
-rw-r--r--. 1 root root 0 Dec 28 14:30 rick1

Now let’s switch to the user summer, but stay in the citadel directory.

su summer

Create a file with the touch command.

touch rick2

Check the result should look like this:

[summer@rhcsa citadel]$ ll
total 0
-rw-r--r--. 1 root   root   0 Dec 28 14:30 rick1
-rw-rw-r--. 1 summer summer 0 Dec 28 14:32 rick2

Now let’s set the sticky bit on the folder you must run this command as root.

chmod g+s /shared/citadel

And create another rick(file).

touch rick3

Result looks like this:

[summer@rhcsa citadel]$ ll
total 0
-rw-r--r--. 1 root   root    0 Dec 28 14:30 rick1
-rw-rw-r--. 1 summer summer  0 Dec 28 14:32 rick2
-rw-rw-r--. 1 summer science 0 Dec 28 14:34 rick3

The group ownership of the file is now inherited by the group ownership of the directory.

Let’s check the umask of the user summer so change into the user summer if you have not already.

su - summer

Check the umask of the user summer.

umask

Output looks like this.

[summer@rhcsa ~]$ umask
0002

Let’s create a directory in her home directory.

mkdir /home/summer/pickle

The result should look like this:

[summer@rhcsa ~]$ ll
total 0
drwxrwxr-x. 2 summer summer 6 Dec 28 14:49 pickle

If we run the umask command, we can see the umask that applies for the user you are logged in as.

[student13@rhcsa ~]$ umask
0002

What does it mean!

So what does the 0002 mean? Each Octal has there own designation, just like the chmod octals with the addition of the special bit octal.

Octal 1

Octal 2

Octal 3

Octal 4

0

0

0

2

Special Bit

User

Group

Other

The umasks are calculated just like the chmod octal system, but as a substraction system.

The octal notation for the first bit is the following:

Ocatal Value

Special Bit

0755

None of the special bits set

1755

Sticky bit set

2755

SGID bit set

4755

SUID bit set

The octal notations for the last 3 numbers are as follows:

Octal Value

Permissions

0

read, write and execute

1

read and write

2

read and execute

3

read only

4

write and execute

5

write only

6

execute only

7

no permissions

This translates into the following:

7 7 7
0 2 6 -
-----
7 5 1 rights = rwx r-x --x

Then if you want to change the umask, we can do that with the umask command. We will still do this as summer.

umask 027

Now let’s test it out in the home directory. Go there using cd or cd ~

touch /home/summer/maskexperiment1

Let’s check the result:

ls -l /home/summer/maskexperiment1

[summer@rhcsa ~]$ ls -l /home/summer/maskexperiment1
-rw-r-----. 1 summer summer 0 Jan  2 09:31 /home/summer/maskexperiment1

Notice that the file will not apply +x. This is because the kernel command for opening files is setup to not add +x. This is not important for RHCSA.

However, when we make a directory, there will be an x for execute.

mkdir /home/summer/counsel

And check the result:

ls -l /home/summer/

[summer@rhcsa ~]$ ls -l
total 0
drwxr-x---. 2 summer summer 6 Jan  2 11:08 counsel

Changing Umask Config

We can also change the umask in the configuration by adding the umask to the user’s .bashrc file. This file holds standard settings for the users bash experience:

echo "umask 007" >> /home/summer/.bashrc 

cat /home/summer/.bashrc

The result should look like this:

# .bashrc

# Source global definitions
if [ -f /etc/bashrc ]; then
	. /etc/bashrc
fi

# Uncomment the following line if you don't like systemctl's auto-paging feature:
# export SYSTEMD_PAGER=

# User specific aliases and functions
umask 007

Now exit user summer

exit

Log back in

su - summer

Check the umask

umask

This should now be 0007:

[summer@rhcsa ~]$ umask
0007