Mac – Umask & You!

I recently came across a situation where I had to setup a shared folder on an AIX filesystem. Usually I would use ACLs to setup permission inheritance but there is no ACL support for Mac OS X on an AIX filesystem. So I had to resort to changing the users’ umask.

There are several places where you can specify a umask. There can different different umasks for:

  • Applications (EX: Finder, TextEdit, etc…)
  • Terminal sessions (EX: SSH)
  • System processes
  • LaunchDaemons & LaunchAgents

For most cases you would only need to specify a umask for applications and terminal sessions. However, I’ll cover all after the jump.

Foreword:

Everything below requires an OS version of 10.4 or later, with the exception of the “Applications” section which requires 10.5.3 or later. All umask values must be specified without quotations and numbers should go where nnn is specified. All changes should be followed by a restart for good measure (may not be absolutely necessary but can’t hurt. A simple login/logout probably would suffice). I would also recommend testing the changes before signing off on your work. For example if you set the umask to 007, the permissions on newly created files/folders should be 770.

Applications:

To set a umask for applications all you need to do is create the file /etc/launchd-user.conf and set its content to “umask nnn”, where nnn is the umask value you want (EX: 007, 027). To test the change, create a folder with the Finder and check its permissions.

Terminal sessions:

To set a umask for SSH sessions you need to specify a umask value in a login profile:

  • ~/.login (tcsh, csh)
  • ~/.profile (bash, sh, ksh)
  • ~/.bash_profile (bash)

Once you know what shell you’ll be dealing with, place the umask value inside. Re-login and test the change by creating a folder and checking its permissions.

System processes:

Setting a umask for system process is very similar to setting a umask for applications. The only difference is that the file you need to create is /etc/launchd.conf. And like before, specify a umask value for its content.

LaunchDaemons & LaunchAgents:

To set a specific umask for a launchd job you need to specify it in its launchd plist, like so:

<key>umask</key>
<integer>nnn</integer>

nnn, again being where you put the numbers. This will override any other umask setting currently being applied to this proccess via /etc/launchd-user.conf or /etc/launchd.conf.

Bonus Content:

If you happen to be working with a filesystem that is capable of supporting Mac OS X ACLs, you can use the following command to achieve a shared folder. I would recommend going this route if possible:

chmod +a ‘<user|group> allow read,write,delete,add_file,add_subdirectory,directory_inherit,file_inherit’ /path/to/some/folder

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s