Sysadmin Linux Theory

umask

Setting default file permissions using umask to control how new files and directories are created

The umask command sets the default file permissions for newly created files and directories. It works by masking (removing) permissions from the default permission set, providing system-wide security control over file creation.

Key Concepts

  • Permission Mask: Bits that are subtracted from default permissions
  • Default Permissions: Files (666), Directories (777)
  • Octal Notation: Three-digit numbers representing owner, group, other
  • Symbolic Notation: Letters (u,g,o) with operators (+,-,=)
  • Session Scope: umask applies to current shell session and child processes

Command Syntax

umask [options] [mode]

  • Without arguments: displays current umask
  • With mode: sets new umask value
  • Mode can be octal (022) or symbolic (u=rwx,g=rx,o=rx)

Common Options

-p - Output in format reusable as input -S - Display in symbolic notation instead of octal

Practical Examples

Example 1: Check current umask 

1
2
3
4
5

umask
0022

umask -S
u=rwx,g=rx,o=rx

Shows current mask removes write for group/others

Example 2: Set restrictive umask 

1
2
3
4

umask 077
touch newfile.txt
ls -l newfile.txt
-rw------- 1 user user 0 date newfile.txt

Only owner has read/write permissions

Example 3: Set permissive umask 

1
2
3
4

umask 002
mkdir newdir
ls -ld newdir
drwxrwxr-x 2 user user 4096 date newdir/

Group has full access, others read/execute

Example 4: Using symbolic notation 

1
2
3
4

umask u=rwx,g=rx,o=
touch symbolic-file
ls -l symbolic-file
-rw-r----- 1 user user 0 date symbolic-file

Removes all permissions for others

Permission Calculation 

1
2
3
4
5
6
7

Default file permissions: 666 (rw-rw-rw-)
umask: 022                   (----w--w-)
Result: 644                  (rw-r--r--)

Default dir permissions: 777 (rwxrwxrwx)
umask: 022                   (----w--w-)
Result: 755                  (rwxr-xr-x)

Use Cases

  • Security hardening: Set restrictive umask (077) for sensitive environments
  • Shared directories: Use permissive umask (002) for team collaboration
  • Web servers: Moderate umask (022) for public content
  • System scripts: Ensure consistent permissions across deployments

Persistent Configuration 

1
2
3
4
5
6
7
8

# In ~/.bashrc or ~/.profile
umask 022

# System-wide in /etc/profile
umask 022

# Check login shell defaults
grep -i umask /etc/login.defs

chmod - Change existing file permissions chown - Change file ownership ls -l - View current file permissions stat - Display detailed file information

Tips & Troubleshooting

  • umask is subtractive: Higher values = more restrictive
  • Applies to new files only: Existing files unchanged
  • Shell-specific: Each shell session has its own umask
  • Script considerations: Set umask early in scripts for consistency
  • Common values: 022 (standard), 002 (group-friendly), 077 (paranoid)
  • Testing: Create test files after changing umask to verify results