When files are created they automatically have permissions applied based on a default configuration setting called umask. Calculating the umask may seem inconsistent but as long as you know that maximum initial permissions on files will never have the execute bit set it makes more sense. Subtract the umask from the maximum initial permissions and you have the default permissions.
- [Instructor] When files are created, default permissions are applied automatically. These permissions are calculated based on a bitmask called umask. To see your umask, type into a terminal umask, and hit Enter. We can also view the umask in symbolic notation by using the -S option. Type in umask, space, -S, and hit enter. We can see that my umask is 0002, which equates to rwx for the user, rwx for the group, and rx for other.
CentOS has different umasks for root and regular users. Let's SU to root and check the umask again. Type in SU, space, hyphen, space, root, and hit Enter. Type in root's password, and hit Enter again. Type in umask, and hit Enter again . You can see that root's umask is 0022, and my user's umask is 0002. Type in exit to go back to your user. Notice that the umask isn't the same format as numeric permission such as 754, but is rather upside down.
To calculate default permissions, we'll have to subtract the umask from maximum initial permissions. For directories, our maximum initial permissions are 777, since having execute on a directory doesn't create a security risk. Now let's subtract 002 from 777. The result is 775 or equivalent to rwx for the user owner, rwx for the group owner, and rx for other. And let's go to a terminal and check this out.
Let's make a directory by typing in mkdir, space, umaskdir, and hit Enter. Verify this with ls, space, -l. We can see umaskdir. The default permissions are rwx, rwx, and rx, or 775 just as our calculations would show. the maximum initial permissions for a file are different than for a directory. For security reasons, we don't allow execute permissions on files by default.
So the maximum initial permissions on a file is 666, or rw for user group and other. Having execute off by default keeps files from being automatically executable after being copied from one place to another. This includes files downloaded from the internet. To get the default permissions for files, subtract the right three digits of the umask from 666. My umask is 0002, so I will subtract 002 from 666, which results in rw for our user, rw for our group, and read-only for other.
Let's take this out by going to the terminal and creating a file. Type in touch, space, umaskfile.txt, and hit Enter. Verify this with ls, space, -l, and hit Enter again. Note that the permissions on our new file are read write for the user owner, read write for the group owner, and read-only for other, or 664 just as our calculation would show. We can temporarily change our umask by using umask command. Type in umask, space, 022, and hit Enter.
For directories, a umask of 022 would give read write execute for the user owner, read execute for the group owner, and read execute for other. For files, it would give read write for the user owner, read for the group owner, and read for other. Verify the umask by typing in umask and hit Enter. This only works for our current login session. If a user wants to change their umask, they can add it to their Bash startup file using an editor. We're going to use VI for this. Type in vi, space, ~/.basherc, and hit Enter.
Go into insert mode by pressing the Insert key, and we'll go to the very last line, and hit Enter. We'll add umask, space, 0022, and will hit Enter. Let's save this by pressing Escape, colon, W, Q, and we'll hit Enter again. Note that the change we just made is only for our current user. If an administrator wants to change a system-wide umask, they can add a file to /etc/profile.d. Let's create a new file name umask.sh using vi.
We need to elevate privileges with sudo. Type in sudo, space, vi, space, /etc/profile.d/umask.sh, and hit Enter. Type in our password and hit Enter again. We could just add a line here that says umask 022, but that's customary to have a different umask for root and regular users, so we'll add a condition. Go into insert mode by pressing the Insert key, and then type in if, space, left square bracket, space, "$UID", space -GE, space, 1000, space, right square bracket, space, 'then.
Hit Enter, tab, umask, space 022, hit Enter, fi. What this will do is check the user ID of the currently logged in user. And if it's greater than or equal to 1,000, it will change the umask to 022. This won't take effect until you log in again. Let's save this by pressing Escape, colon, W, Q, and hitting Enter.
Instructor Grant McWilliams covers network and internet services administration, kernel management, and intrusion prevention. He shows how to make your systems more efficient with virtualization, manage users and groups, and lock everything down with SELinux mandatory access control. Plus, get access to 25 PDF "cheat sheets" and 100 practice questions so you can solidify and test your knowledge.
- Installing Linux on a physical machine
- Managing systemd services
- Managing reoccurring jobs with cron
- Limiting system access
- Configuring networking
- Creating, editing, and moving files and directories
- Analyzing text with grep and regular expressions
- Installing software and packages
- Managing the kernel
- Managing users, accounts, and groups
- Setting permissions
- Using access control lists
- Securing Linux with SELinux
- Accessing Linux remotely
- Configuring local storage