Understanding umask - Controlling Default File Permissions

Understanding umask - Controlling Default File Permissions
Reading time: About 9 min Difficulty: Intermediate

What Is umask?

umask is a mask that controls the default permissions assigned to newly created files and directories. It removes specific permission bits from the maximum allowed permissions — 666 for files and 777 for directories — using a bitwise AND NOT operation.

Quick Summary

  • Maximum default permissions for files: 666 (rw-rw-rw-)
  • Maximum default permissions for directories: 777 (rwxrwxrwx)
  • With umask 022: files get 644 (rw-r--r--), directories get 755 (rwxr-xr-x)

How Does umask Work?

umask specifies the bits to remove from the maximum default permissions. Any bit set in the umask is cleared from the resulting permissions.

The Formula

actual permissions = default maximum AND NOT(umask)

Example with umask 022 creating a file:

  666  = 110 110 110  (owner: rw-, group: rw-, other: rw-)
  022  = 000 010 010  (mask removes group write and other write)
─────────────────────────────────────────────────────────────
= 644  = 110 100 100  (owner: rw-, group: r--, other: r--)

Subtraction vs. AND NOT

umask is often described as "subtracting" from permissions, but it uses bitwise AND NOT — not arithmetic subtraction. With umask 023, for example, the result is not 666 - 023 = 643 but 644, because the write and execute bits for other are treated as independent bits, both cleared by the mask.

How to Check the Current umask

Run umask without arguments to display the current value in octal:

$ umask
0022

For a human-readable symbolic representation:

$ umask -S
u=rwx,g=rx,o=rx

The leading 0 represents the special bits (setuid, setgid, sticky). In practice, the value is typically shown as 0022.

How to Set umask

Pass a value to umask to change the setting. This applies only to the current shell session — opening a new terminal resets it to the system default.

Temporary setting

$ umask 022    # Common default for most environments
$ umask 027    # Prevent group write, block others entirely
$ umask 077    # Owner-only access (most restrictive)
$ umask 002    # Allow group write (collaborative environments)

Verify the effect by creating files:

$ umask 022
$ touch testfile.txt
$ ls -la testfile.txt
-rw-r--r-- 1 user user 0 Jun  1 10:00 testfile.txt

$ umask 077
$ touch private.txt
$ ls -la private.txt
-rw------- 1 user user 0 Jun  1 10:00 private.txt

How to Make umask Persistent

Add the umask command to your shell's startup file so it applies automatically on each login.

Per-user configuration

# ~/.bashrc (bash interactive shell)
echo 'umask 022' >> ~/.bashrc
source ~/.bashrc

# ~/.profile or ~/.bash_profile (login shell)
echo 'umask 022' >> ~/.profile

System-wide configuration

# /etc/profile applies to all users' login shells
# Requires root privileges
sudo nano /etc/profile
# Add at the end: umask 022

Many Linux distributions set the system default umask in /etc/profile or via /etc/login.defs (PAM-based systems). Check these files to understand your system's baseline configuration.

Common umask Values

umask File permissions Directory permissions Use case
022 644 (rw-r--r--) 755 (rwxr-xr-x) General desktop / server environment
027 640 (rw-r-----) 750 (rwxr-x---) Restrict group write, block others
077 600 (rw-------) 700 (rwx------) Confidential files, personal use
002 664 (rw-rw-r--) 775 (rwxrwxr-x) Group development environment

Security note

Never use umask 000. It leaves all permission bits intact, meaning every new file is world-readable and world-writable.

Why umask Doesn't Grant Execute Permissions

Regardless of umask, files created with touch or most editors do not get execute permissions. The maximum for files is 666, so even umask 000 produces rw-rw-rw- — execute bits never appear from umask alone.

$ umask 000
$ touch script.sh
$ ls -la script.sh
-rw-rw-rw- 1 user user 0 Jun  1 10:00 script.sh   # no x bit

To make a script executable, grant it explicitly with chmod:

$ chmod +x script.sh
$ ls -la script.sh
-rwxrwxrwx 1 user user 0 Jun  1 10:00 script.sh

umask and setgid Directories

When a directory has the setgid (SGID) bit set, files created inside it inherit the directory's group. Combined with umask 002, this enables shared directories where all group members can write.

# Check for SGID directory (note the 's' in the group execute position)
$ ls -ld /var/shared/
drwxrwsr-x 2 root devteam 4096 Jun  1 10:00 /var/shared/

# With umask 002, group write permission is preserved on new files
$ umask 002
$ touch /var/shared/project.conf
$ ls -la /var/shared/project.conf
-rw-rw-r-- 1 user devteam 0 Jun  1 10:00 /var/shared/project.conf

Summary

umask Cheat Sheet

umask           # Show current value (numeric)
umask -S        # Show current value (symbolic)
umask 022       # Standard (file: 644, dir: 755)
umask 077       # Most restrictive (owner only)
umask 002       # Group collaboration environment

What to avoid

  • Using umask 000 — exposes all files to world read/write
  • Forgetting that temporary umask changes reset when the session ends
  • Ignoring the difference between login shell and interactive shell startup files when making persistent changes

Next Reading