Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.3: Set the global umask default value System
We have a small office of computers (OS X 10.3) working on shared files which are hosted on our guest-access local server (OS X 10.1) - not a setup for the mega paranoid, but it is very easy to use, and I know a lot of people choose to go this route.

The problem we were having was that users didn't have write permissions to other people's files, meaning that different users couldn't collaborate on common files, without the original creator changing the permissions manually. Yes, we could have used BatChmod or set up a cron job on the server to change the permissions for us on a periodic basis, but this was not transparent enough. What we wanted is that the Finder (and any other applications) created new files or folders with read and write privleges for all users. There had been a fix which worked for 10.2.x, but this got broken by 10.3, and the search has been on since then for a new fix.

Marcel Bresink has implemented a per-user umask Preference in the latest version of his TinkerTool 3.1, allowing individual users to change the defualt permissions on their own files. If this is what people want to do, I would highly recommend they use this utility as it makes the whole thing so easy.

For those who want to set it on a global basis, so that it applies for all the users of a computer, read on.

Side note: This still works in 10.4...

I had seen a posting by Xsage on a mail group highlighting the presence of a NSUmask default hidden away in the file /System -> Library -> Frameworks -> PreferencePanes.framework -> Versions -> A -> Resources -> global.defaults. The default NSUmask has a value of 18, which is the decimal equivalent of the octal umask setting 022, and is the global default. Since changing the permissions that the System runs with can cause all sorts of nasty things to happen, particularly if you want to set a more restrictive umask than the normal default, we would ideally look to override this default somewhere else.

TinkerTool implements this on a per-user basis by inserting an NSUmask override setting in the file ~/Library -> Preferences -> .GlobalPreferences.plist. The inserted lines are:

<key>NSUmask</key>
<integer>my-umask-decimal</integer>
Replace my-umask-decimal with the decimal conversion of the octal umask you want to set. A decimal NSumask of 0 gives the octal umask value of 000 that I required. To implement this change on a global basis, we simply insert the same setting, but into another file: /Library -> Preferences -> .GlobalPreferences.plist. I have just been putting it right at the at the top, for example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>NSUmask</key>
<integer>0</integer>
<key>AppleLanguages</key>
<array>
<string>English</string>
And that is about it. Obviously you will need to have administrative privileges to be able to do this, and you should save a backup of any files you change etc, etc. As an aside, the global.defaults file contains a few other interesting things that other people might want to mess with, including mouse scaling and key repeat times.
    •    
  • Currently 2.57 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (7 votes cast)
 
[71,715 views]  

10.3: Set the global umask default value | 25 comments | Create New Account
Click here to return to the '10.3: Set the global umask default value' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.3: Set the global umask default value
Authored by: Mac112 on Dec 16, '03 12:34:36PM

Brilliant - You just saved my day!



[ Reply to This | # ]
The 10.3 default is more secure
Authored by: eno on Dec 16, '03 03:15:00PM
Re: The 10.3 default is more secure
Authored by: daniel_clift on Dec 17, '03 09:54:41AM

Agreed - The Mac OS X default, which has proper *nix behaviour is a much better security model, particularly in larger organisations or networks.
However, for those wishing to transition fairly seamlessly from a Mac OS 9 Appleshare environment, this *nix behaviour is a bug and not a feature. Generally these are also people who share files through guest access on sandbox style LANs, typically inaccessible to outside prying eyes. For these people, this hint is essential, and is something for which they would be happy to exchange the extra (and in many respects unnecessary) security



[ Reply to This | # ]
The 10.3 default is more secure
Authored by: insolution on Dec 17, '03 10:00:51AM

Perhaps, but I find that the majority of small offices using OS X Server want files to be shared with write access by default.

This has been an ongoing hassle for admins who have to deal with "Susan can't open my spreadsheet." I'm glad for the option to change the default mask.



[ Reply to This | # ]
10.3: Set the global umask default value
Authored by: gmachen on Dec 16, '03 03:44:19PM

I've looked and looked in vain within TinkerTool 3.1 and can't find anything about this. Could someone please point directly to it?



[ Reply to This | # ]
10.3: Set the global umask default value
Authored by: stuartbryson on Dec 16, '03 06:14:08PM

On the permissions tab of the toolbar.

There are nine checkboxes which determine the umask.



[ Reply to This | # ]
10.3: Set the global umask default value
Authored by: Yelsmek on Dec 18, '03 05:05:14PM

Be VERY careful.

Changing the umask interferes with the Installer. Setting umask to prohibit my group and others from reading, writing and executing my files prohibited me from installing the following new releases:

iTunes
QuickTime 6.5
ARA
Java 3D and JAI



[ Reply to This | # ]
10.3: Set the global umask default value
Authored by: daniel_clift on Dec 20, '03 05:30:01PM

Setting the umask to be more restrictive is always risky as you can prevent applications and processes from being able to access files that they need to run things. Software updates and installers might not be able to run, because they wouldn't have permissions to write files to parts of the disk that you had protected.

This hint is really intended more for those users that want to loosen up the permissions structure of Mac OS X 10.3 Panther, to allow them to work in a more collaborative way with others.



[ Reply to This | # ]
10.3: Set the global umask default value
Authored by: montalvd on Jan 02, '05 05:16:52PM

...which is exactly why this is an unsupported hack. better to purchase osx server ($499 for 10 users) and not use hacks like sharepoint, especially if you're running a business.

don

don montalvo, nyc

---
don montalvo, nyc



[ Reply to This | # ]
10.3: Set the global umask default value
Authored by: daniel_clift on Jan 14, '05 11:15:47AM

Don

You are right of course that this is an unsupported hack and there are various caveats in the hint and subsequent comments to emphasise this already, however it is one that Apple have realised is wanted by their users (note 10000 people have looked at this hint) - hence the inclusion of a Mac OS X Server setting for this problem from version 10.2.6 onwards. This setting was basically an authorised hack that Apple added in response to user demand for a workaround for the problem.

I would also agree with you that an Apple supported hack is better than an unsupported one, plus Panther Server is very nice if you can afford to buy it. However many small businesses will want to run a file server on an ordinary computer through file sharing, as they were used to doing in Mac OS 9, without having to pay for lots of extra server functionality that they don't want or need. This hint helps them move towards being able to do such a thing in a perfectly reasonable manner for free, when used in conjunction with apps like SharePoints etc.

You have might additionally have overlooked the fact that this hint also helps those people who might want to share files on a couple of computers on a home network, and would find buying an extra computer to solve this little problem with a copy of Mac OS X Server 10.3 a little bit overkill.

Hope that helps



[ Reply to This | # ]
Use umask 002 for more security.
Authored by: crispyking on Jan 14, '04 01:48:15PM

Instead of a umask of 0 (which permits everything), it might be better to use a umask of 002 (which permits write to user and group) and use 10.3's new group scheme (where each user has a unique group -- as described in the previous comment "The 10.3 default is more secure").

If you use a default umask of 002, you'll still get all the benefit of users being able to share and write to each others' shared files, but users still get to protect their own files from public access.

To do this: create a new shared group (e.g. "snert") in NetInfo, and add the appropriate users to the group. Create a shared folder for that group and change its group ownership to "snert".

Any files created in the shared folder will be created with group "snert" (files inherit the parent folder's group) and since the umask is 002, they will be created writeable by anyone in group "snert".

Files in their home directory will be created with their default group (which is their unique group of the same name as their userid), and will only be accessible by themselves (even though they are group writeable).



[ Reply to This | # ]
10.3: Set the global umask default value
Authored by: ikno on Feb 02, '04 11:12:47AM
Setting NSUmask can also be accomplished using

defaults write -g NSUmask decimal_value
where decimal_value is an integer. For example,

defaults write -g NSUmask 23
sets umask to 0027.

[ Reply to This | # ]
10.3: Set the global umask default value
Authored by: Sophic on Mar 03, '04 11:19:43AM

Hmmmm, this doesn't seem to tell me everything! This global.defaults hack appears to me like it only applies to users logging into the desktop and not network clients, can somebody clarify this? How does this octal 022 relate to the chmod style of permissions '770' or 'ug=rwx o=' for instance? I currently use cron as I'm a bit sceptical about what the next apple update might do to such changes. All I want is to default group permissions to write instead of read only. As I haven't found a way yet do this for 10.3, I'll stick to running chmod scripts in cron. Isn't there something you can do to the /etc/rc file? I use the following (called via another script) if it's any help to anyone else;

#!/bin/sh
# fix
# Usage:
# fix [group|path]
# If path is specified then group must be specified
# If group is omitted then staff is used as default.
# If path is omitted then current directory is used as default.
#
grp=$1
pth=$2
if $grp >& /dev/null ;then
grp="staff"
fi
if $pth >& /dev/null ;then
pth="$PWD"
fi
#echo $grp
#echo "$pth"
chown -fhv -R :"$grp" "$pth" >/dev/null
chmod -R g+rw "$pth" >/dev/null


---
If you ain't fast you're last.



[ Reply to This | # ]
Octal chmod/umask codes
Authored by: seika7 on Mar 22, '04 06:33:18PM

"How does this octal 022 relate to the chmod style of permissions '770' or 'ug=rwx o=' for instance?"

These numbers are masks, which subtract, digit by digit, from the maximum octal value of 777 (read/write/execute for user, group, and everyone). (Remember, the maximum digit value in octal is 7 (like 9 for decimal), then the next digit goes to 1 (like 10 in decimal). 8 in decimal is 10 in octal, but don't pronounce it "ten" unless you want to get confused in a hurry.) So a mask of 022 would knock 777 down to 755 which is rwx for the user (owner) and rw for group and everyone. What many file sharing users want is a mask of 002 which knocks 777 down to 775 giving both the user and the group read/write permissions and allowing everyone else to just read.



[ Reply to This | # ]
10.3: Set the global umask default value
Authored by: jethro on May 24, '04 05:48:02PM

HELP! I don't know where to look, but I'm having big probs with the whole sharing/permissions issue in Panther. We had it working great in Jaguar with a combination of the 'Global Umask' script and the program SharePoints.

I tried the hint above, and while it DOES seem to help permissions to be consistent when I write files to our shared drives (the shared drives are on my computer), when others (assigned to the group 'Staff') write or edit files to the shared drives, those users are assigned as the 'Owner' instead of Me.

The permissions for all files written by anyone (including myself - the administrator) need to be:
Owner: Me (administrator) - rw
Group: Staff (everyone else in the office) - rw
Others: r

So, as it is now, I cannot edit or write to any files put on the shared drives by anyone else. We NEED to be a collaborative environment. Please help!!



[ Reply to This | # ]
10.3: Set the global umask default value
Authored by: daniel_clift on Jun 14, '04 08:55:53PM

What you have written seems to suggest that you have only applied the umask fix to your machine (the server), and not those which your users are working from.

Although in your case you would also need to apply the fix to your "server" since you use it as your workstation, it is important to realise that the primary umask setting for a file is determined by the computer that saves it. The fix that Apple have implemented in Mac OS X Server 10.2.6 and above involves the server "overriding" this initial umask, essentially by creating a new file with the override privileges instead of those set by the individual workstation. In your more adhoc setup it is only really possible to solve the problem at source i.e. your users' computers.

That said, it might also be useful to check the SharePoint Preferences have been set to allow files in the shared directories to inherit their permissions from their parent directories, and maybe doing a quick sweep of those shared directories with BatChmod to correct any errant permissions.



[ Reply to This | # ]
10.3: Set the global umask default value
Authored by: samvenning on Jun 26, '04 11:09:15PM
Hmmm. There have been some very interesting solutions suggested for this problem. I quite like the default permissions... except for files in the Public folder. So I opted for a root cron job.

I added the following job to the system (root) crontab file (/etc/crontab)

# Make files in Public folders read/write for all
*/1 * * * * root /bin/chmod -R a+rw /Users/*/Public
Note: Each extended space (ie up to 'root') in the line above is actually a tab.

What does this do? Every minute, on the minute, this system (root) cron job makes all files and directories in users Public folder read/write by all (User, Group and Others).

The crontab file can easily be distributed company-wide using Apple Remote Desktop software (a very useful product indeed).

This problem is really frustrating for users in a peer-to-peer workgroup. I think Apple should provide a few permission options/settings for the Public folder.

---
---
Melbourne, Australia

[ Reply to This | # ]

10.3: Set the global umask default value
Authored by: taxi on Jun 27, '04 12:38:20AM

I have a similar thing set up to allow shared R&W access to am iTunes library, and I have a sneaking suspicion that chmod barfs when more than about 2000 files are being processed.

A nicer method would be to only change files that have the wrong permissions:

find /Users/*/Public/ -not -perm 664 -exec chmod 775 {};

but this gives me an error about not being able to find the semi-colon under bash!

I tried playing with csh & tcsh, but wildcards appear to work differently!



[ Reply to This | # ]
10.3: Set the global umask default value
Authored by: jtrott on Aug 02, '04 12:42:37AM

You need to escape the ; in bash, use {} \; at the end of your line, that will work.
Thanks,
JT



[ Reply to This | # ]
Also works in 10.4
Authored by: daniel_clift on May 09, '05 04:55:41PM
This hint still seems to work in Mac OS X 10.4 Tiger.

As before, it allows the default file privileges on a Mac to be altered so that files created on that machine can be read from and written to by other users, i.e. a sharing model similar that used under Mac OS 9 and earlier.

The usual caveats of course still apply
- the default security model in OS X has been chosen for a number of good reasons, so don't change it unless you need to, and are happy at the compromises in security you will be making
- setting the default umask to be more restrictive than the system defaults may cause problems
- always make a backup before changing system files

Enjoy!

[ Reply to This | # ]
Also works in 10.4 (not for me!)
Authored by: matx on Jul 04, '05 06:11:10PM

Hi

I am trying to get read-write perms for group to work globally (per machine). I tried the defaults command and adding the NSUmask value to the main .Global file, but no luck. No file in The Finder is created with this proper umask. I want 002 or 2 (read/write by the group).

All my users are in the same group but yet when they create files they cannot write into the folder of another user.

Ideas?

thanks,
Mat X

---
Mat X -- VFX Mac Tech



[ Reply to This | # ]
Also works in 10.4 (not for me!)
Authored by: matx on Jul 04, '05 06:11:25PM

Hi

I am trying to get read-write perms for group to work globally (per machine). I tried the defaults command and adding the NSUmask value to the main .Global file, but no luck. No file in The Finder is created with this proper umask. I want 002 or 2 (read/write by the group).

All my users are in the same group but yet when they create files they cannot write into the folder of another user.

Ideas?

thanks,
Mat X

---
Mat X -- VFX Mac Tech



[ Reply to This | # ]
10.3: Set the global umask default value
Authored by: yooj on Feb 07, '07 09:29:24AM

Has anyone figured out a way to make the "New Folder" button in Save Dialog boxes to retain the finder umask settings?



[ Reply to This | # ]
10.4: Really still working?
Authored by: mdwoernhard on Sep 26, '07 06:28:12PM

I have just spent some time trying to implement setting the global umask with NSUmask.

My findings are that NSUmask does not work as described in this article, as per 10.4.10.

I played with /Library/Preferences/.GlobalPreferences.plist, ~/Library/Preferences/.GlobalPreferences.plist, defaults write -g NSUmask -int 2, defaults write Library/Preferences/.GlobalPreferences -int 2, defaults write /Library/Preferences/.GlobalPreferences -int 2 - to no avail.

The only hint working was 10.4: Set umask independently for Finder.app, but this only applies to new items created with Finder, other GUI-applications still use the default umask 022 (tested with several applications).

I shy away from modifying /System -> Library -> Frameworks -> PreferencePanes.framework -> Versions -> A -> Resources -> global.defaults - not sure if I mess up something important.

Did I overlook something? - In short, I am still missing a working solution for having a default umask of 002 for files/folders created with a GUI ...

/Maurice



[ Reply to This | # ]
10.3: Set the global umask default value
Authored by: dwm on Nov 19, '07 07:37:29PM

Same here, tried all you mentioned and a couple other things to get it working in Leopard 10.5.1. I made sure my Master Password is set. Tried logging in as root. Set root access via the Directory App. Nothing works. It's driving me nuts because I keep running into permissions problems on files that I always had access. Things I could change at will are asking for authentication even when I've verified that I'm running as root, and I own the files. I've got these issues settled down but still can't get a global default umask to stick????

I keep my systems well maintained and have had no serious issues with permissions since I first set NSUmask way back in Panther. Now it's like it was before I set NSUmask, always something. I set NSUmask in
/Library/Preferences/.GlobalPreferences.plist, and ~/Library/Preferences/.GlobalPreferences.plist

It worked great in Tiger right up to including 10.4.10. Every time I did a system update or re-install my settings were respected and copied over. Not so with Leopard, it seems to be dead. All attempts to set the NSUmask are verified as registered but none are functioning.

I don't know if this a bug, or because Apple has down graded the duties of the Finder. I've been hoping someone else would verify if it's an issue to report to Apple, or if there is some other intended way to set NSUmask, or maybe it's a closed door.




[ Reply to This | # ]