When you create a new file or directory on a Linux system, it comes with default permissions that might be too permissive for a secure environment. The umask setting is the primary way to control these default permissions, acting as a mask to remove bits from the maximum possible permissions.
Let’s see this in action. If you create a file, the maximum permissions are rw-rw-rw- (666). If your umask is 022, then 666 - 022 = 644 (rw-r--r--). For directories, the maximum is rwxrwxrwx (777), so 777 - 022 = 755 (rwxr-xr-x).
# Check current umask
umask
# Output might be: 0022 (or 0002 on some systems)
# Create a file and check permissions
touch my_secret_file.txt
ls -l my_secret_file.txt
# Output: -rw-r--r-- 1 user group ... my_secret_file.txt
# Create a directory and check permissions
mkdir my_secret_dir
ls -ld my_secret_dir
# Output: drwxr-xr-x 2 user group ... my_secret_dir
The core problem umask solves is preventing accidental oversharing of newly created files. By default, many systems use umask 0002, which gives group write permission to all new files and directories. This is often a security risk, as any user in the same group as the file creator could modify or delete it.
The umask value is a three-digit octal number, where each digit corresponds to user, group, and others, respectively. The value represents permissions to be removed.
- User: The first digit controls permissions for the file owner.
- Group: The second digit controls permissions for the group.
- Others: The third digit controls permissions for everyone else.
The bits removed correspond to:
4: read (r)2: write (w)1: execute (x)
So, a umask of 022 means:
- Remove
2(write) for the group. - Remove
2(write) for others. - The leading
0is often used for special permissions (sticky bit, setuid, setgid) and is typically0for standard umask.
To lock down security, you want to remove write and execute permissions for group and others by default. A common secure umask is 077.
Let’s set it and test:
# Set umask for the current session
umask 077
# Create a file
touch another_secret.txt
ls -l another_secret.txt
# Output: -rw------- 1 user group ... another_secret.txt
# Create a directory
mkdir another_secret_dir
ls -ld another_secret_dir
# Output: drwx------ 2 user group ... another_secret_dir
With umask 077, the owner gets full read/write (600 for files, 700 for directories), while group and others get no permissions at all. This is a strong default for sensitive data.
To make this change permanent, you need to edit system-wide or user-specific configuration files.
System-wide (for all users):
Edit /etc/profile or files in /etc/profile.d/. For instance, you might add umask 077 at the end of /etc/profile. Some systems also manage this via /etc/login.defs.
User-specific (for a particular user):
Edit ~/.bashrc or ~/.profile for the user. Add umask 077 to the end of the file.
# Example: Adding to user's .bashrc
echo "umask 077" >> ~/.bashrc
source ~/.bashrc # Apply the change for the current session
The most surprising true thing about umask is that it’s defined by what it removes, not what it grants. This often leads to confusion because you’re subtracting from a theoretical maximum.
Consider the maximum permissions:
- Files:
666(rw-rw-rw-) - Directories:
777(rwxrwxrwx)
When you set umask 027:
- For files:
666 - 027 = 640(rw-r-----) - For directories:
777 - 027 = 750(rwxr-x---)
This 027 umask is a good balance: the owner has full permissions, the group can read and execute (but not write), and others have no permissions. It’s more permissive than 077 but more secure than the common 002.
The reason umask is applied after the kernel creates the inode is to ensure that even if the application creating the file attempts to set overly permissive rights, umask can enforce a more restrictive default. It’s a final gatekeeper for default permissions.
For applications that need specific permissions (like setuid binaries or world-writable directories), umask doesn’t prevent explicit permission setting using chmod. It only affects the defaults for newly created objects.
The next concept you’ll likely run into is managing permissions for existing files and directories using chmod and chown.