Understanding UMASK with Linux and Samba

Have you ever been confused with the Linux environment UMASK? How about trying to setup permissions with a Samba file server? Displaying and setting the umask for both the Linux environment and a Samba server is very easy. In this article, I’ll explain what a UMASK is and how to display and change the current value. Afterwards, I’ll explain UMASK in the context of using a Samba File server.

PERMISSIONS

Let’s start with a quick refresher course on permissions. Each file and directory has a set of attributes that controls who is permitted access. Permissions can be represented with either symbolic notation or octal notation. With a directory listing, the permissions are represented symbolically as the following shows:

$ ls -l
-rw-rw-rw- 1 user user 0 Sep 25 21:12 file

The above directory listing shows symbolically that file has read/write permissions for user, group and others.

To change the permissions of a file or directory, the command chmod is used with either symbolic or octal notation. For example:

$ chmod u=rw,go= file
$ ls -l
-rw------- 1 user user 0 Sep 25 21:21 file
$ chmod 666 filename
$ ls -l
-rw-rw-rw- 1 user user 0 Sep 25 21:22 file

When defining the permissions of a file in octal notation, it consists of at least three digits. The rightmost three digits represent the different components respectively: user, group, and others. Each of these digits is a sum of it’s component bits, with the specific bits represented as follows:

Read bit: 4
Write bit: 2
Execute bit: 1

For example:

Symbolic Notation
Octal Notation
English
----------0no permissions
---x--x--x111execute
--w--w--w-222write
--wx-wx-wx333write & execute
-r--r--r--444read
-r-xr-xr-x555read & execute
-rw-rw-rw-666read & write
-rwxrwxrwx777read, write, & execute

UMASK

Let’s start the discussion of UMASK by first seeing and then changing what the current UMASK is. Afterwards, I’ll explain what it means. To see the current UMASK, type the following into a terminal:

$ umask
0002

To change the current UMASK and then display the new umask, type the following:

$ umask 0022
$ umask
0022

When a file or directory is created, the permissions are set by the process that created that file or directory. For example, when using the touch command to create a new file, the default permissions set by that process for files is 0666. If the UMASK were set to 0000, then the file permissions would be 0666. As a demonstration, type the following into a terminal:

$ umask 0000
$ touch new_file_1
$ ls -l
-rw-rw-rw- 1 user user 0 Sep 25 21:12 new_file_1

As you can see, the file’s permissions allow read and write for the user, group and others. However, if the UMASK was set to 0002, then the file permissions would be 0664. Let’s try it out:

$ umask 0002
$ touch new_file_2
$ ls -l
-rw-rw-rw- 1 user user 0 Sep 25 21:12 new_file_1
-rw-rw-r-- 1 user user 0 Sep 25 21:13 new_file_2

As you can see, the UMASK did not allow the others component to have write permission. The way that the UMASK works is it defines what is allowed or permissible. With all zeros, it’s saying that read, write and execute permissions are permissible, so it’s not restricting anything and the permissions will be set by the process. Yet in our second example with a UMASK set to 0002, this is restricting the access for others to not have write permission.

The following table list shows what the various digits mean:

Octal digit in umask command
Allows (if requested)
0read, write and execute
1read and write
2read and execute
3read only
4write and execute
5write only
6execute only
7no permissions

SAMBA

To put it bluntly, Samba ignores the UMASK setting in the Linux environment. Instead, it provides its own equivalent parameter. But here’s the gotcha, it’s the inverse of the Linux UMASK. Instead of 000, it would be 777. Here are the default options:

create mask = 0744
force create mode = 000
create directory mask = 0755
force directory mode = 000

To explain, consider the following excerpt from Using Samba, 3rd Edition:

“The create mask and create directory mask options consist of octal permission sets for files and folders, respectively, that combine with the permissions requested by the user using a logical AND. Any bit not set in the mask will be removed from the final permission set. The force create mode and force directory mode options also specify octal permission sets, but are combined with the permission set using a logical OR (after applying any creation masks). Therefore, any permission bit that is set in the force mode is included in the final permissions.”

— Gerald Carter, Jay Ts, and Robert Eckstein. Using Samba, 3rd Edition

As you can see, this works quite differently than the Linux environment UMASK. Instead of defining what is restricted, it defines what is allowed. With the create mask and create directory mask options, a setting of 0777 would allow all bits to be set, thus leaving the permissions to be set by the requested user. Furthermore, the force create mode and force directory mode would force a particular bit to be set, even if it wasn’t requested by the user.

As an example, consider the following option settings as you would define them for a share in smb.conf:

create mask = 0770
force create mode = 060
create directory mask = 0770
force directory mode = 070

This would allow both files and directories to have read, write and execute permissions for user and group, but not others. At the same time, it forces the group permissions to be read/write for files and read/write/execute for directories.

CONCLUSION

I hope this article has helped clear up any confusion. I know my explanation may come across as brief, but this was intentional so that I could get right to the point. Of course, Linux can be very specific. So please be sure to read the man pages for more information.

man chmod
man umask
man smb.conf

Additionally, the following book is of great help if you’re setting up a Samba file server:

Using Samba, 3rd Edition By Gerald Carter, Jay Ts, Robert Eckstein

Thanks for reading.