Setting a custom umask in OS X

Every file or folder on your Mac has permissions associated with it. When you create a file or folder, the umask setting determines these permissions.

About permissions and umasks

Be careful when changing file permissions and umasks. Setting these incorrectly can lower the security of files, folders, or apps on your Mac or prevent some apps from working. These instructions are intended for Enterprise users.

Permissions

Files, folders, and apps stored on a Mac startup disk and connected volumes include permission settings that determine which user accounts can read, write, or execute each item. These include POSIX permissions and Access Control Lists (ACLs). 

You can set more or less restrictive POSIX permissions for a user by setting a user's umask value.

Umasks

The POSIX permissions on a file can be represented by a number with three digits. You might see permissions listed this way when viewing them from the Terminal. Each digit can be zero through seven. When you create a file, the umask value is subtracted from a default value (usually 666 for files, 777 for folders) to determine the permissions on the new file or folder.

For example, the default umask of 022 results in permissions of 644 on new files and 755 on new folders. Groups and other users can read the files and traverse the folders, but only the owner can make changes.

There are several different places where the umask can be set, each affecting different apps.

Umask for user applications (OS X Yosemite)

In OS X Yosemite v10.10.3 and later, you can use this command in Terminal while logged in as an admin user:

sudo launchctl config user umask nnn

Replace nnn with the desired umask value, such as 027 or 002. This sets the user's umask for all apps they open, such as Finder, TextEdit, or Final Cut Pro, or apps accessed from the command line. It also controls the permissions set on new files created by any of these apps.

If you see the message, "Could not write configuration: No such file or Directory" check to make sure the /private/var/db/com.apple.xpc.launchd/config directory is present. If this folder is missing, you can manually create it by using the command below. After creating this folder, try the launchctl command again.

sudo mkdir -m 755 /private/var/db/com.apple.xpc.launchd/config

For more information about setting the umask in Yosemite, see man launchctl.

Umask for system processes (OS X Yosemite)

In OS X Yosemite v10.10.3 and later, you can execute this command in Terminal while logged in as an admin user:

sudo launchctl config system umask nnn

Replace nnn with the desired umask value, such as 027 or 002. This sets the umask for daemons that are launched in the system context. Changing this value is strongly discouraged because it might change the permissions on files used by the system software. If the permissions are too restrictive, dependent software may not work. If the permissions are too open, they may introduce security issues.

If you see the message, "Could not write configuration: No such file or Directory" check to make sure the /private/var/db/com.apple.xpc.launchd/config directory is present. If this folder is missing, you can manually create it by using the command below. After creating this folder, try the launchctl command again.

sudo mkdir -m 755 /private/var/db/com.apple.xpc.launchd/config

For more information about setting the umask in Yosemite, see man launchctl.

Umask for user applications (Mavericks and earlier)

In versions of OS X earlier than Yosemite, you can create the file /etc/launchd-user.conf with the contents umask nnn. Replace nnn with the desired umask value, such as 027 or 002.

This sets the user's umask for all apps they open, such as Finder, TextEdit, or Final Cut Pro, and controls the permissions set on new files created by any of these apps.

Note: If you are using OS X Lion, you should update to OS X Lion v10.7.4 or later. Files and folders created in the Finder then respect the user umask.

Umask for system processes (Mavericks and earlier)

In versions of OS X earlier than Yosemite, create the file /etc/launchd.conf with the contents umask nnn. Replace nnn with the desired umask value, such as 027 or 002.

This sets the umask for all processes. Changing this value is strongly discouraged because it changes the permissions on files used by system software. If the permissions are too restrictive, dependent software may not work. If the permissions are too open, it might introduce security issues.

Umask for a specific LaunchAgent or LaunchDaemon

In Mac OS X v10.4 and later, advanced administrators can set a separate umask for a specific LaunchAgent or LaunchDaemon by adding a umask value to the launchd plist file. This setting overrides (for that process only) the umask setting in /etc/launchd.conf or /etc/launchd-user.conf. For more information on this option, see man launchd.plist.

Last Modified:
Helpful?

Additional Product Support Information

Start a Discussion

in Apple Support Communities
See all questions on this article See all questions I have asked
United States (English)