Global Umask Modification for OS X 10.2.x


This page provides a script which can be used to modify the umask setting globally on OS X machines.


PLEASE NOTE: This solution is intended for use with 10.2.x (Jaguar) only, and will not work with 10.3 (Panther). A revised solution is forthcoming.

Changes in 10.2.3

In version 10.2.3 of OS X Server, Apple introduced a preference setting in the Sharing section of Workgroup Manager which provides control over default permissions on Apple File Protocol share points. (See screen grab at right.) Provided that the server and all client machines are running 10.2.3 or later, this feature gives the administrator the choice of using traditional Unix-style permissions or traditional Macintosh AFP-style permissions. While it may still be useful, the global-umask script provided below is no longer strictly necessary in AFP-based networks where permissions can be managed per directory. It is essential, however, with non-AFP-based file sharing or any other situation where the default umask is too restrictive.

Keep in mind that this script will modify the umask for all users using a particular OS X workstation. Unix provides per-user control over the umask through various shell initialization files (which of course work fine on OS X when working in the Terminal), but Apple still needs to provide users with full access to this functionality in a way that's respected by the Finder and other Aqua applications.


The original idea for this solution was first suggested by Chris Adams on the macos-x-server list. Alec Bartsch created several shell scripts to automate his approach, which Len Laughridge greatly improved by unifying into a single script and generalizing for different umask values.

Download the global-umask script.


In a Terminal window, navigate to the directory in which you downloaded the above .tar file. Decompress it with this command:

tar -xvf finder-umask-mod.tar

Navigate into the resulting finder-umask-mod directory and run the install script:


You will be required to enter an administrator's password. The global-umask script is installed in /usr/local/sbin.

How To Use

Run the script (as root) to change the umask on your system, passing the new umask value in the same octal notation that would be passed to the umask command itself:

sudo /usr/local/sbin/global-umask 002

Remember to reboot when prompted, and keep in mind that the modified umask will only affect newly created files and directories—not existing ones.

Detailed instructions are included in the read-me file included with the script. For a brief summary, run global-umask without any arguments:

sudo /usr/local/sbin/global-umask

What's the umask?

Unix/BSD defines a "file creation mask" (or "umask", not "unmask") that allows users to determine the minimum level of security they require on their files and directories, beyond which individual applications are free to impose further restrictions if they so choose. The default umask is 022, which disables write-permission for both the group and world. (For more information on what this number means, man umask and/or man chmod in a Terminal window.)

The umask value is passed along by a parent process to any child processes it launches. The trick is to modify that value early enough in the boot sequence that it is inherited by the WindowServer process, which is in turn the parent of the Finder and other GUI apps in OS X. Unfortunately a StartupItem does not run early enough, so we must modify two low-level system files on every OS X client machine on which you want to apply the desired umask: /etc/rc and /etc/ttys.


This is not for everyone. There should be no harm from making this change, but be aware that there are security implications. If you have hundreds or thousands of users all in a single primary group, for example, you may not wish to have group-writable permission turned on by default. The Apple default may be more appropriate for your situation. Use at your own risk.

This script was tested in 10.2.0 through 10.2.3, and may or may not work for later versions. The authors hope you find it useful, but accept no responsibility for anything you do to your system or your data.

Under the Hood

Global-umask makes a backup copy of /etc/rc and inserts a umask command just before the call to SystemStarter at the end of the script. That takes care of adjusting the umask the first time after a reboot. It then makes a directory called /usr/local/sbin if one doesn't already exist, and writes a shell script into that directory called CustomWindowServer. That script simply sets the umask and calls the WindowServer process. Finally, /etc/ttys is backed up and modified to point to the CustomWindowServer rather than the default one, which takes care of setting the umask on subsequent logout/login cycles. Both changes are required to modify the umask in every case.

Backing Out

To undo the changes introduced by global-umask, run it like this:

sudo /usr/local/sbin/global-umask defaults

You may wish to read the script to familiarize yourself with the backup files it creates, and take care not to delete them.


If you have any questions or comments on global-umask, please refer them to Len Laughridge. If you have any comments or suggestions on how to improve this web page, Alec Bartsch would be pleased to hear them. And don't forget to let Apple know that this is an important issue which needs to be addressed in future versions of OS X.

Alec Bartsch

Last modified October 26, 2003