CIS84.12B Binary/Octal Introduction to Umask P. Grosh There are two ways of explaining the representation of access permissions on Unix. One is written in English, the other in binary. This page describes the binary/octal approach to understanding the file access modes used by "umask". The "chmod" command recognizes both octal and 3-letter (rwx) representations for permissions. But the "umask" command recognizes only octal. Therefore, we must face octal head-on. We will only be referring to single-digit octal numbers here, so do not be intimidated - a single digit octal number has exactly the same magnitude as the corresponding decimal number. In other words, a 7 refers to the same number of things whether it is decimal or octal. A 77 is another matter - but not to worry; we will be using only single-digit numbers here. A permission is either ON or OFF; this is why it is easy to represent in binary. Whether you chose to use a 0 or a 1 to represent ON or OFF is essentially arbitrary. Unfortunately the purpose of "chmod" is to turn permissions ON, but the purpose of "umask" is to turn permissions OFF. Therefore, their use of binary and octal representations is exactly opposite. This is not a joke. There are 3 different types of access permissions: read (r) permission, write (w) permission, or execute (x) permission. By convention, they are always listed in the above order: rwx. The "ll" command displays permissions using these 3 letters, and dashes for permissions that are turned off. If no permissions are allowed, the "ll" command indicates this by printing "---". The "chmod" command can use these letters or 0's and 1's. This is well explained in the books and the lab assignment. The "umask" command, on the other hand, uses only numbers and is rarely explained in detail because of its contrarian conventions. Therefore, the following description applies ONLY to "umask". Every time a file or directory is created, the Unix system gives it "default" permissions. In the case of directories, all access by default is allowed for everyone. In the case of files, only read and write access are by default allowed for everyone. The "umask" command is used to turn these permissions off. If the permission is to be turned OFF (i.e., access is not allowed) it is represented by a one, if it is to be left ON (i.e., access is allowed) it is represented by a zero. As mentioned above, the 3 different access permissions are always listed in order: rwx. If all permissions are to be turned OFF (denied), the "umask" numerical representation would be 111 (read denied, write denied, execute denied). The binary number 111 is represented in octal by a 7. The resulting file permissions listed by the "ls -l" command will be "---" (i.e., no access allowed). Each of the 3-digit binary numbers, 000 through 111, can be represented by a single octal digit, 0 through 7. If you sit down and write out all the possible combinations of 1 and 0 taken 3 at a time, and the corresponding "rwx" representations, you get: Permissions that will be DENIED by umask command: symbolic | --- | --x | -w- | -wx | r-- | r-x | rw- | rwx | ------------------------------------------------------------------ binary | 000 | 001 | 010 | 011 | 100 | 101 | 110 | 111 | ------------------------------------------------------------------ octal | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | So you see that a letter (r, w, or x), representing which permission is to be DENIED, always corresponds to a one. No letter, which allows access, always corresponds to a zero. In addition, a 3-digit binary number can always be translated into a single digit octal number: the binary number, 111, for example, is equal to 7, because 2 squared plus 2 plus 1 equals 7. For some people (namely, the creator of "umask"), using a single character is always preferable to using 3 characters, and thus the octal representation of permissions was born. What this table states is that "umask" uses 7 to turn OFF read, write, and execute permission to files. There are many situations in which you only want to deny write permission, so you use 2, or to deny write and execute permission, so you use 3. A common use of "umask" is "umask 037": all default permissions allowed for the owner (user), only read permission allowed for the group (7 - 3 = 4), and all permissions denied for everyone else (other). Unix systems ordinarily come with a default for all files of rw-rw-rw- or read-write for all users. When a Unix system is installed, the system administrator can set up a system-wide default umask to modify the original rw-rw-rw- system permissions. On Unix systems with classes on them, it is customary for the sysad to create a system-wide umask of 077 so students cannot mess with other students' files. The umask for our system is 022. Thus, new files are read-write for the owner only. However, if you execute a umask command or put one in your .profile, your umask will REPLACE the system (or any previous) umask for your current login session. This means that your new umask will NOT be subtracted from the usual rw-r--r-- permissions (resulting from the system umask 022), but from the original rw-rw-rw- permissions. For those of you who are interested in such things, what the system actually does with each of the umask binary arguments are the following bitwise logical operations: (1) complement it (2) AND the result with the basic system defaults (3) use that product as the permissions for your new files and directories The original Unix system defaults allowed all access except execute permission for files. The "umask" command is a disabling, not an enabling, process, so all that can be done with it is to disable the defaults. As a result, you cannot give execute permission to files with "umask", you must use "chmod" instead to enable execute permission.