umask [-S] [ mask ]
选件
-S
|
接受掩码的符号表示,或返回一个。
|
mask
|
如果指定了有效的掩码,则将umask设置为此值。如果未指定掩码,则返回当前的umask值。
|
什么是权限,它们如何工作?
正如你可能知道,您的系统上的每个文件与相关的一组的权限是用来保护文件:文件的权限决定哪些用户可以访问该文件,什么类型的访问他们拥有它。
共有三类用户:
-
拥有文件的用户(“ User ”)。
-
属于文件的已定义所有权组(“ Group ”)的用户。
-
其他所有人(“ Other ”)。
反过来,对于这些用户类别,文件访问分为三种:
-
查看文件内容的能力(“ Resd ”)。
-
更改文件内容的能力(“ Write ”)。
-
能够在系统上作为程序运行文件的内容(“ Execute ”)。
因此,对于这三类用户中的每一种,都有三种访问类型。这些信息共同构成了文件的权限。
权限如何表示?
有两种方法来表示文件的权限:用符号方式表示(使用诸如“ r ”表示读取,用“ w ”表示写入和使用“ x ”表示执行)之类的符号或八进制数字值。
例如,当您使用ls命令在命令行中列出目录的内容时,如下所示:
ls -l
您将(除其他信息外)看到每个文件的文件许可权信息。在这里,它用符号表示,看起来像下面的例子:
-rwxr-xr--
这里有十个符号。第一个破折号(“ - ”)表示这是一个“常规”文件,换句话说,不是目录(或设备或任何其他特殊类型的文件)。其余的9个符号代表权限:rwxr-xr--。这九个符号实际上是三组,每组三个符号,从左到右分别代表各自的特定权限:
符号
|
含义
|
rwx
|
文件的所有者可以读取,写入或执行此文件,作为系统上的进程。
|
r-x
|
文件组中的任何人都可以读取或执行此文件,但不能对其进行写入。
|
r--
|
任何人都可以读取该文件,但不能写入该文件或将其内容作为进程执行。
|
使用符号指定文件创建掩码
遮罩的一般符号形式如下:
[user class symbol(s)][permissions operator][permission symbol(s)][,]...
权限符号是r(读),w(写)或x(执行)的任意组合,如上所述。
用户类符号可以是以下一项或多项:
u
|
用户(文件的所有者)。
|
g
|
组(文件已定义组的任何成员)。
|
o
|
其他(其他人)。
|
a
|
全部(相当于ugo)。
|
权限运算符可能是以下之一:
+
|
允许为指定的用户类启用指定的文件权限(未指定的权限在掩码中保持不变)。
|
-
|
禁止为指定的用户类启用指定的文件权限(未指定的权限在掩码中未更改)。
|
=
|
允许为指定的用户类别启用指定的文件权限(未指定的权限将在文件创建过程中被掩码禁止)。
|
因此,例如,以下umask命令:
umask u + w
设置掩码,以便在创建文件时,它们将具有允许用户(文件所有者)具有写权限的权限。该文件的其余权限将与操作系统默认值保持不变。
可以通过用逗号分隔多组符号表示法来指定多个更改(但不能用空格!)。例如:
umask ux,g = r,o + w
此命令将设置掩码,以便在创建后续文件时,它们将具有以下权限:
-
禁止为文件的所有者(用户)设置执行权限,而其余的所有者权限保持不变;
-
启用该组的读取权限,同时禁止该组的写入和执行权限;
-
启用其他用户的写权限,而其余其他权限保持不变。
请注意,如果使用equals运算符(“ = ”),则将特别禁止未指定的任何权限。例如,命令
umask a =
将设置文件创建掩码,以便每个人都无法访问新文件。
使用数字表示法指定文件创建掩码
文件创建掩模也可以表示数值,使用八进制值(数字0至7)。使用八进制数字表示法时,某些数字表示某些权限,并且这些数字彼此相加或相减以表示最终的组合权限值。具体地,数字1,2,和4表示以下权限:
使用这些数字是因为这三个数字的任何组合都是唯一的。下表说明了它们的独特组合:
读取值+
|
写值+
|
执行值=
|
合并值:
|
等价的符号:
|
0
|
0
|
0
|
0
|
|
0
|
0
|
1
|
1
|
X
|
0
|
2
|
0
|
2
|
w
|
0
|
2
|
1
|
3
|
wx
|
4
|
0
|
0
|
4
|
r
|
4
|
0
|
1
|
5
|
rw
|
4
|
2
|
0
|
6
|
rw
|
4
|
2
|
1
|
7
|
rwx
|
对于每一类用户,可以使用一位数字来表示他们的权限。使用上面的示例,我们可以使用三位数的八进制数754表示rwxr-xr的符号许可。数字的顺序始终相同:User,Group,Other。
其他权限数字
在文件许可权的八进制表示形式中,实际上有四个数字。我们讨论的三个重要数字是最后三个数字。第一位数字是特殊的文件许可指示符,出于讨论的目的,可以始终将其视为零。因此,从现在开始,当我们讨论文件权限777时,它也可能称为0777。
那么umask实际如何工作?
该umask的 面具由一定值限制他们的权限。
本质上,umask的每个数字都从操作系统的默认值中减去而得出您定义的默认值。这不是真正的减法。从技术上讲,将掩码取反(取其按位取反),然后使用逻辑AND操作将此值应用于默认权限。结果是umask告诉操作系统在创建文件时要关闭哪些权限位。
在Linux中,常规文件的默认权限值为666,目录的默认权限值为777。创建新文件或目录时,内核采用此默认值,“减去” umask值,并为新文件提供权限。
下表显示了umask值的每一位如何影响新文件和目录权限:
umask数字
|
默认文件权限
|
默认目录权限
|
0
|
rw
|
rwx
|
1
|
rw
|
rw
|
2
|
r
|
rx
|
3
|
r
|
r
|
4
|
w
|
wx
|
5
|
w
|
w
|
6
|
X
|
X
|
7
|
(未经允许)
|
(未经允许)
|
因此,如果我们的umask值为022,则默认情况下,任何新文件都将具有权限644(666-022)。同样,默认情况下,将使用权限755(777-022)创建任何新目录。
umask [-S] [mask]
Options
-S
|
Accept a symbolic representation of a mask, or return one.
|
mask
|
If a valid mask is specified, the umask is set to this value. If no mask is specified, the current umask value is returned.
|
What are permissions, and how do they work?
As you may know, each file on your system has associated with it a set of permissions that are used to protect files: a file's permissions determine which users may access that file, and what type of access they have to it.
There are three general classes of users:
-
The user who owns the file ("User").
-
Users belonging to the file's defined ownership group ("Group").
-
Everyone else ("Other").
In turn, for each of these classes of user, there are three types of file access:
-
The ability to look at the contents of the file ("Read").
-
The ability to change the contents of the file ("Write").
-
The ability to run the contents of the file as a program on the system ("Execute").
So, for each of the three classes of user, there are three types of access. Taken together, this information makes up the file's permissions.
How are permissions represented?
There are two ways to represent a file's permissions: symbolically (using symbols like "r" for read, "w" for write, and "x" for execute) or with an octal numeric value.
For example, when you list the contents of a directory at the command line using the ls command as follows:
ls -l
you will see (among other information) the file permission information for each file. Here, it is represented symbolically, which will look like the following example:
-rwxr-xr--
There are ten symbols here. The first dash ("-") means that this is a "regular" file, in other words, not a directory (or a device, or any other special kind of file). The remaining nine symbols represent the permissions: rwxr-xr--. These nine symbols are actually three sets of three symbols each, and represent the respective specific permissions, from left to right:
symbols
|
meaning
|
rwx
|
the file's owner may read, write, or execute this file as a process on the system.
|
r-x
|
anyone in the file's group may read or execute this file, but not write to it.
|
r--
|
anyone at all may read this file, but not write to it or execute its contents as a process.
|
Specifying the file creation mask using symbols
The general symbolic form of a mask is as follows:
[user class symbol(s)][permissions operator][permission symbol(s)][,]...
permission symbol is any combination of r (read), w (write), or x (execute), as described above.
user class symbol may be one or more of the following:
u
|
User (the owner of the file).
|
g
|
Group (any member of the file's defined group).
|
o
|
Other (anyone else).
|
a
|
All (equivalent to ugo).
|
permissions operator may be one of the following:
+
|
allow the specified file permissions to be enabled for the specified user classes (permissions that are not specified are unchanged in the mask).
|
-
|
prohibit the specified file permissions from being enabled for the specified user classes (permissions that are not specified are unchanged in the mask).
|
=
|
allow the specified file permissions to be enabled for the specified user classes (permissions not specified will be prohibited by the mask during file creation).
|
So, for example, the following umask command:
umask u+w
sets the mask so that when files are created, they will have permissions which allow write permission for the user (file owner). The rest of the file's permissions would be unchanged from the operating system default.
Multiple changes can be specified by separating multiple sets of symbolic notation with commas (but not spaces!). For example:
umask u-x,g=r,o+w
This command will set the mask so that when subsequent files are created, they will have permissions that:
-
prohibit the execute permission from being set for the file's owner (user), while leaving the rest of the owner permissions unchanged;
-
enable read permission for the group, while prohibiting write and execute permission for the group;
-
enable write permission for others, while leaving the rest of the other permissions unchanged.
Note that if you use the equals operator ("="), any permissions not specified will be specifically prohibited. For example, the command
umask a=
Will set the file creation mask so that new files are inaccessible to everyone.
Specifying the file creation mask using numeric representation
The file creation mask can also be represented numerically, using octal values (the digits from 0 to 7). When using octal numeric representation, certain numbers represent certain permissions, and these numbers are added or subtracted from each other to represent the final, combined permissions value. Specifically, the numbers 1, 2, and 4 represent the following permissions:
number
|
permission
|
4
|
read
|
2
|
write
|
1
|
execute
|
These numbers are used because any combination of these three numbers will be unique. The following table illustrates their unique combinations:
read value +
|
write value +
|
execute value =
|
combined value:
|
symbolic equivalent:
|
0
|
0
|
0
|
0
|
|
0
|
0
|
1
|
1
|
x
|
0
|
2
|
0
|
2
|
w
|
0
|
2
|
1
|
3
|
wx
|
4
|
0
|
0
|
4
|
r
|
4
|
0
|
1
|
5
|
rx
|
4
|
2
|
0
|
6
|
rw
|
4
|
2
|
1
|
7
|
rwx
|
For each class of user, one digit can be used to represent their permissions; using the example above, we could represent the symbolic permission of rwxr-xr-- using the three-digit octal number 754. The order of the digits is always the same: User, Group, Other.
The other permission digit
In octal representations of file permissions, there are actually four digits. The three important digits we've discussed are the last three digits. The first digit is a special file permission indicator, and for the purposes of this discussion can be considered always to be zero. So from here on out, when we discuss file permission 777, it may also be referred to as 0777.
So how does the umask actually work?
The umask masks permissions by restricting them by a certain value.
Essentially, each digit of the umask is "subtracted" from the OS's default value to arrive at the default value that you define. It's not really subtraction; technically, the mask is negated (its bitwise compliment is taken) and this value is then applied to the default permissions using a logical AND operation. The result is that the umask tells the operating system which permission bits to "turn off" when it creates a file.
In Linux, the default permissions value is 666 for a regular file, and 777 for a directory. When creating a new file or directory, the kernel takes this default value, "subtracts" the umask value, and gives the new files the resulting permissions.
This table shows how each digit of the umask value affects new file and directory permissions:
umask digit
|
default file permissions
|
default directory permissions
|
0
|
rw
|
rwx
|
1
|
rw
|
rw
|
2
|
r
|
rx
|
3
|
r
|
r
|
4
|
w
|
wx
|
5
|
w
|
w
|
6
|
x
|
x
|
7
|
(no permission allowed)
|
(no permission allowed)
|
So if our umask value is 022, then any new files will, by default, have the permissions 644 (666 - 022). Likewise, any new directories will, by default, be created with the permissions 755 (777 - 022).