Set a custom umask in macOS

Every file or folder on your Mac has a set of permissions. When you create a new file or folder, the umask determines these permission settings.

About permissions and umasks

These instructions are for Enterprise users. Be careful when you change file permissions and umasks. If you set these incorrectly, you can lower the security of files, folders, or apps on your Mac. You might also prevent some apps from working.

Permissions

Every file, folder, and app that you store on a Mac startup disk or a connected volume has permission settings. The permissions determine which user accounts can read, write to, or run the file, folder, or app. These permissions include POSIX permissions and Access Control Lists (ACLs). 

To make a user’s POSIX permissions more restrictive or less restrictive, you can adjust their umask value.

Umasks

A three-digit number can represent the POSIX permissions for a file. You might see permissions represented this way when you view them from Terminal. Each digit is between zero and seven. When you create a file, the umask value is subtracted from a default value (usually 666 for files and 777 for folders) to determine the permissions for the new file or folder.

For example, a default umask of 022 sets permissions of 644 on new files and 755 on new folders. These permissions allow groups and other users to read the files and open the folders, but only the owner can make changes. 

Be sure you understand umasks before proceeding. If you set a umask incorrectly, you might inadvertently lose access to files or grant access to other users. See the MODES section of the chmod(1) manual page for more information.

You can set the umask in several different locations. Each location affects different apps.

Umask for user applications in macOS High Sierra, macOS Sierra, OS X El Capitan, and OS X Yosemite

In OS X Yosemite 10.10.3 and later, log in as an admin and run this command in Terminal:

sudo launchctl config user umask nnn

Replace nnn with the umask value that you want, such as 027 or 002. After you run this command, you might have to restart your Mac.

This command sets the user's umask for every app that they open, such as Finder, TextEdit, or Final Cut Pro. And it sets their umask for every app that they access from the command line. This command also controls the permissions that are set on new files that these apps create.

If you see a "Could not write configuration: No such file or Directory" message, make sure that you have a /private/var/db/com.apple.xpc.launchd/config folder. If this folder is missing, use this command to create it:

sudo mkdir -m 755 /private/var/db/com.apple.xpc.launchd/config

After you create this folder, run the sudo launchctl config user umask nnn command again. For more information about how to set the umask in OS X Yosemite, run the man launchctl command.

Umask for system processes in OS X Yosemite

In OS X Yosemite 10.10.3 and later, log in as an admin and run this command in Terminal:

sudo launchctl config system umask nnn

Replace nnn with the umask value that you want, such as 027 or 002. After you run this command, you might have to restart your Mac.

This command sets the user’s umask for every daemon that they run in the system context. Changing this value is strongly discouraged because it might change the permissions for files that the system software uses. If you set permissions that are too restrictive, dependent software might not work. If you set permissions that are too open, it might introduce security issues.

If you see a "Could not write configuration: No such file or Directory" message, make sure that you have a /private/var/db/com.apple.xpc.launchd/config folder. If the folder is missing, use this command to create it:

sudo mkdir -m 755 /private/var/db/com.apple.xpc.launchd/config

For more information about how to set the umask in OS X Yosemite, run the man launchctl command.

Umask for user applications in OS X Mavericks and earlier

In OS X Mavericks and earlier, create a /etc/launchd-user.conf file that contains umask nnn. Replace nnn with the umask value that you want, such as 027 or 002. This sets the user's umask for every app that they open, such as Finder, TextEdit, or Final Cut Pro. It also controls the permissions that are set on new files that these apps create.

If you use OS X Lion, you should update to OS X Lion 10.7.4 or later. After you update, the user umask applies to files and folders that are created in the Finder.

Umask for system processes in OS X Mavericks and earlier

In versions of OS X earlier than Yosemite, create a /etc/launchd.conf file that contains umask nnn. Replace nnn with the umask value that you want, such as 027 or 002. This sets the umask for every process. Changing this value is strongly discouraged because it changes the permissions for files that the system software uses. If you set permissions that are too restrictive, dependent software might not work. If you set permissions that are too open, it might introduce security issues.

Umask for a specific LaunchAgent or LaunchDaemon

In Mac OS X 10.4 and later, advanced administrators can set a separate umask for a specific LaunchAgent or LaunchDaemon. To do this, they add a umask value to the launchd plist file. This setting overrides the umask setting in /etc/launchd.conf or /etc/launchd-user.conf for that process only. For more information about this option, run the man launchd.plist command.

Published Date: