When you create a new file or directory in a Linux environment, the system automatically assigns it a set of initial permissions. These default values are not random; they are controlled by an octal bitmask known as the umask (user file-creation mask). Mastering the umask is essential for maintaining system security and ensuring the principle of least privilege is applied to every new object on your filesystem.
How umask Works
The umask acts as a filter that “clears” or removes specific permissions from a starting base value. It does not “grant” permissions; it restricts them.
The operating system uses two different starting points for base permissions:
- Directories: Start with base permissions of 0777 (
drwxrwxrwx). - Regular Files: Start with base permissions of 0666 (
-rw-rw-rw-).
Note that regular files never receive execute permission by default, regardless of the umask setting; this must always be added explicitly by the user later.
Calculating Initial Permissions
If a bit is set in the umask, the corresponding permission is removed from the new file or directory. For example:
- umask 0002: The “2” in the “other” position clears the write bit for other users.
- umask 0077: Clears all group and other permissions entirely, ensuring only the owner can access the new file.
- umask 0027: New files will have read/write for the user, read-only for the group, and no access for others.
Practical Examples of umask Effects
The following table illustrates how different umask values impact the final permissions of files and directories:
| umask Value | New File Permission | New Directory Permission | Resulting Access |
|---|---|---|---|
| 0002 (Default) | rw-rw-r-- (664) | rwxrwxr-x (775) | Others can read but not write. |
| 0000 | rw-rw-rw- (666) | rwxrwxrwx (777) | Public access; everyone can write. |
| 0007 | rw-rw---- (660) | rwxrwx--- (770) | Others have no access at all. |
| 0027 | rw-r----- (640) | rwxr-x--- (750) | Group is read-only; Others have no access. |
How to Manage Your umask
You can interact with your umask settings directly through the terminal:
- View Current Value: Type
umaskwithout any arguments to see the current octal value for your shell session. - Temporary Change: Provide a numeric argument, such as
umask 007, to change the mask for the current shell session only. - Persistent Change: To make changes permanent for your user account, you must append the command (e.g.,
echo "umask 007" >> ~/.bashrc) to your shell startup scripts like~/.bashrcor~/.bash_profile. - Apply Changes: For persistent changes to take effect, you must log out and log back in to start a new shell session.
System Defaults
The default umask is typically defined globally in /etc/profile or /etc/bashrc. On systems like Red Hat Enterprise Linux, the default logic often follows these rules:
- If a user’s UID is 200 or higher and their username matches their primary group name, they are assigned a umask of 002.
- Otherwise, the system defaults to a more restrictive umask of 022.