Set a custom umask in macOS

Every file and folder on your Mac has a set of permissions. When you create a new file or folder, the umask determines these permissions.

These advanced steps are primarily for system administrators and others who are familiar with the command line. Be careful when you change file permissions and umasks. If you make a mistake, you can lower the security of files, folders, or apps on your Mac, or prevent apps from working.

About permissions and umasks

Permissions. Every file, folder, and app stored on your Mac has permission settings, which determine which user accounts can read, write to, or run the file, folder, or app. These permissions include POSIX permissions and Access Control Lists (ACLs). To make a user’s POSIX permissions more restrictive or less restrictive, you can adjust their umask value.

Umasks. A three-digit number can represent the POSIX permissions for a file. You might see permissions represented this way when you view them from Terminal. Each digit is between 0 and 7. When you create a file, the umask value is subtracted from a default value (usually 666 for files and 777 for folders) to determine the permissions for the new file or folder. For example, a default umask of 022 sets permissions of 644 on new files and 755 on new folders.

You can set the umask in several locations, and each location affects different apps. If you set an umask incorrectly, you might lose access to files or grant access to other users. See the MODES section of the chmod(1) manual page for more information.

Umask for user apps

Log in as an administrator and enter the following command in Terminal, replacing nnn with the umask value, such as 027 or 002. This command sets the user's umask for every app they open, including apps they access from the command line and new files that those apps create. After entering this command, you might need to restart your Mac.

sudo launchctl config user umask nnn

If Terminal responds ”Could not write configuration: No such file or directory,” make sure that your startup disk has a folder at /private/var/db/com.apple.xpc.launchd/config. If the config folder is missing, try again after entering the following command to create it:

sudo mkdir -m 755 /private/var/db/com.apple.xpc.launchd/config

Umask for system processes

Log in as an administrator and enter the following command in Terminal, replacing nnn with the umask value, such as 027 or 002. This command sets the user's umask for every daemon that they run in the system context. This is strongly discouraged because it can change the permissions for files that the system uses. Permissions that are too restrictive can prevent software from working, and permissions that are too open can introduce security issues. After entering this command, you might need to restart your Mac.

sudo launchctl config system umask nnn

If Terminal responds ”Could not write configuration: No such file or directory,” make sure that your startup disk has a folder at /private/var/db/com.apple.xpc.launchd/config. If the config folder is missing, try again after entering the following command to create it:

sudo mkdir -m 755 /private/var/db/com.apple.xpc.launchd/config

Learn more

For more information about how to set an umask, enter man launchctl in Terminal.

Published Date: