The umask command in Linux: setting default permissions

Posted on by BlockmyIP | Category: Linux terminal commands

Introduction

In Unix-like systems, each file and directory has a set of permissions that determine who can read, write, or execute the resource. When a new file is created, the kernel assigns initial permissions that are then modified by the file creation mask, known as umask. This command allows you to define, by default, which permission bits should be removed, ensuring that new resources have the desired access level without needing to intervene manually after creation.

What is umask?

The term umask comes from ‘user file-creation mode mask’. It is an octal (or symbolic) value that indicates which permissions should be denied when creating a file or directory. The kernel starts with base permissions — normally 666 for files and 777 for directories — and subtracts the umask mask. The result is the final set of permissions that will be applied to the new resource.

How the calculation works

To understand the process, imagine that the system starts from the maximum permissions:

  • Files: 666 (rw- rw- rw-)
  • Directories: 777 (rwx rwx rwx)

If your umask is 022, the calculation would be:

  • File: 666 − 022 = 644 (rw- r– r–)
  • Directory: 777 − 022 = 755 (rwx r-x r-x)

The bits that appear in the mask are removed from the base permissions; any bit that is not in the mask is retained.

Common values and examples

Some frequently used umask values and their effects:

  • 002 → files 664, directories 775 (ideal for group environments where all group members can write)
  • 022 → files 664, directories 755 (default value on many distributions)
  • 077 → files 600, directories 700 (maximum privacy, only the owner can read, write, or execute)
  • 000 → files 666, directories 777 (no restrictions, rarely recommended for security reasons)

To view the current umask, simply run umask in the terminal. To change it temporarily for the current session, use umask 002. The new value will affect all files and directories created until the session ends or another umask is set.

Changing umask permanently

If you want the umask to be applied each time you start a session, you must add it to one of the shell’s initialization files. For example, for Bash:

  • Add the line umask 002 at the end of ~/.bashrc or ~/.profile.
  • After saving, reload the configuration with source ~/.bashrc or open a new terminal.

On systems that use Zsh, the corresponding file is ~/.zshrc. In multi-user environments, administrators can define umask globally in /etc/profile or /etc/bash.bashrc, affecting all users who do not override the value in their personal configuration.

Best practices and tips

  • Evaluate the environment: on shared servers, a umask of 002 or 007 helps maintain collaboration without exposing data to other users.
  • On individual workstations, a umask of 077 provides greater confidentiality.
  • Avoid using overly permissive values like 000; they can leave files readable or writable by anyone, which poses a security risk.
  • Remember that umask only affects the creation of new resources; existing file permissions are not automatically modified.
  • If you need to apply specific permissions after creation, combine umask with chmod or use ACLs for finer-grained control.

Mastering the umask command allows you to centrally and predictably control the permissions of the files and directories you create, improving both organization and security on your Linux system.

This post is also available in ESPAÑOL.

Leave a Reply

Your email address will not be published. Required fields are marked *

Esta obra está bajo una Licencia Creative Commons Atribución 4.0 Internacional para Francesc Roig francesc@vivaldi.net .