What is Umask and How To Setup Default umask Under Linux?

by Vivek Gite on January 31, 2007 · 59 comments

Anil ask a question (via email):

What is umask and how is it determined on a Linux system?


When user create a file or directory under Linux or UNIX, she create it with a default set of permissions. In most case the system defaults may be open or relaxed for file sharing purpose. For example, if a text file has 666 permissions, it grants read and write permission to everyone. Similarly a directory with 777 permissions, grants read, write, and execute permission to everyone.

Default umask Value

The user file-creation mode mask (umask) is use to determine the file permission for newly created files. It can be used to control the default file permission for new files. It is a four-digit octal number. A umask can be set or expressed using:

  • Symbolic values
  • Octal values

Procedure To Setup Default umask

You can setup umask in /etc/bashrc or /etc/profile file for all users. By default most Linux distro set it to 0022 (022) or 0002 (002). Open /etc/profile or ~/.bashrc file, enter:
# vi /etc/profile
OR
$ vi ~/.bashrc
Append/modify following line to setup a new umask:
umask 022
Save and close the file. Changes will take effect after next login. All UNIX users can override the system umask defaults in their /etc/profile file, ~/.profile (Korn / Bourne shell) ~/.cshrc file (C shells), ~/.bash_profile (Bash shell) or ~/.login file (defines the user's environment at login).

Explain Octal umask Mode 022 And 002

As I said earlier, if the default settings are not changed, files are created with the access mode 666 and directories with 777. In this example:

  1. The default umask 002 used for normal user. With this mask default directory permissions are 775 and default file permissions are 664.
  2. The default umask for the root user is 022 result into default directory permissions are 755 and default file permissions are 644.
  3. For directories, the base permissions are (rwxrwxrwx) 0777 and for files they are 0666 (rw-rw-rw).

In short,

  1. A umask of 022 allows only you to write data, but anyone can read data.
  2. A umask of 077 is good for a completely private system. No other user can read or write your data if umask is set to 077.
  3. A umask of 002 is good when you share data with other users in the same group. Members of your group can create and modify data files; those outside your group can read data file, but cannot modify it. Set your umask to 007 to completely exclude users who are not group members.

But, How Do I Calculate umasks?

The octal umasks are calculated via the bitwise AND of the unary complement of the argument using bitwise NOT. The octal notations are as follows:

        • Octal value : Permission
        • 0 : read, write and execute
        • 1 : read and write
        • 2 : read and execute
        • 3 : read only
        • 4 : write and execute
        • 5 : write only
        • 6 : execute only
        • 7 : no permissions

Now, you can use above table to calculate file permission. For example, if umask is set to 077, the permission can be calculated as follows:

BitTargeted atFile permission
0Ownerread, write and execute
7GroupNo permissions
7OthersNo permissions

To set the umask 077 type the following command at shell prompt:
$ umask 077
$ mkdir dir1
$ touch file
$ ls -ld dir1 file

Sample outputs:

drwx------ 2 vivek vivek 4096 2011-03-04 02:05 dir1
-rw------- 1 vivek vivek    0 2011-03-04 02:05 file

Task: Calculating The Final Permission For FILES

You can simply subtract the umask from the base permissions to determine the final permission for file as follows:
666 - 022 = 644

  • File base permissions : 666
  • umask value : 022
  • subtract to get permissions of new file (666-022) : 644 (rw-r--r--)

Task: Calculating The Final Permission For DIRECTORIES

You can simply subtract the umask from the base permissions to determine the final permission for directory as follows:
777 - 022 = 755

  • Directory base permissions : 777
  • umask value : 022
  • Subtract to get permissions of new directory (777-022) : 755 (rwxr-xr-x)

How Do I Set umask Using Symbolic Values?

The following symbolic values are used:

  1. r : read
  2. w : write
  3. x : execute
  4. u : User ownership (user who owns the file)
  5. g : group ownership (the permissions granted to other users who are members of the file's group)
  6. o : other ownership (the permissions granted to users that are in neither of the two preceding categories)

The following command will set umask to 077 i.e. a umask set to u=rwx,g=,o= will result in new files having the modes -rw-------, and new directories having the modes drwx------:
$ umask u=rwx,g=,o=
$ mkdir dir2
$ touch file2
$ ls -ld dir2 file2

Sample umask Values and File Creation Permissions

If umask value set toUser permission Group permissionOthers permission
000allallall
007allallnone
027allread / executenone

all = read, write and executable file permission

Limitations of the umask

  1. The umask command can restricts permissions.
  2. The umask command cannot grant extra permissions beyond what is specified by the program that creates the file or directory. If you need to make permission changes to existing file use the chmod command.

umask and level of security

The umask command be used for setting different security levels as follows:

umask valueSecurity levelEffective permission (directory)
022Permissive755
026Moderate751
027Moderate750
077Severe700

For more information about the umask read the man page of bash or ksh or tcsh shell:
man bash
help umask
man chmod

Updated for accuracy!

Featured Articles:

Share this with other sys admins!
Facebook it - Tweet it - Print it -

We're here to help you make the most of sysadmin work. So, subscribe!

{ 59 comments… read them below or add one }

1 Dmitry February 7, 2007

Reply from text:
—————————-
To calculate file permission for 022 (root user):
Default Permissions: 777

To calculate directory permission for 022 umaks (root user):
Default Permissions: 666

————————————
It’s wrong, isn’t it?
The right answer is:

To calculate _file_ permission for 022 (root user):
Default Permissions: _666_
etc.
To calculate _directory_ permission for 022 umaks (root user):
Default Permissions: _777_
etc.

Reply

2 Deepak February 25, 2011

You are right. I had this doubt and was going over and over more than once. It is a typo.

Reply

3 WGriffin March 8, 2007

The title says “How to setup default umask”
You never mention how to actually set the default up.

Reply

4 nixcraft March 8, 2007

WGriffin,

Opps. Post has been updated. Thanks for heads up!

Reply

5 RAHUL January 1, 2008

Yes Guy !

Its an excellent site for newbie.
I like it most…

I think its help all Linuxx user.

Reply

6 ahmed March 28, 2008

thanks. very helpful

Reply

7 posicionamiento June 9, 2008

thanks guys….
I like such short tutorials …;)
Cheers

Reply

8 niez June 25, 2008

Hi there!

I’ve tried changing umask on my GNU/Linux box (Gentoo). Is’s look like 0000 and 0111 is the same mask. What’s going on?

Reply

9 Raghu June 27, 2008

Default (initial) Run level for root?

Reply

10 Sunny Thakur June 30, 2008

Hi,
I have done this thing 3 times….but not any affect on umask default permissions.
i used :
# umask 0077 command for temporarily umask….

Reply

11 sushil September 17, 2008

permissions for files are as follows

777 – Executable files
666 – Text files

Reply

12 Freebsd_man December 6, 2008

You say: For directories, the base permissions are (rwxrwxrwx) 0777 ….

and then you calculated:

To calculate directory permission for 022 umaks (root user):
Default Permissions: 666

nonsense ?

Reply

13 georgh January 8, 2009

I know this is a very old post, but I would like to correct one thing if someone lands here from a search engine:

According to the DebianDesktopHowTo the value for UMASK has to be changed in both /etc/profile and /etc/lgin.defs. This howto has a specific section about permissions in a shared computer.

Thanks for posting this.

Reply

14 georgh January 8, 2009

I meant login.defs.

Sorry.

Reply

15 jeet January 27, 2009

but again que is that can we change the default permission permanently? tell now

Reply

16 Caleb Cushing ( xenoterracide ) February 26, 2009

0027 all r/w none

um… this would be all r/x none

removing 2 removes write.

Reply

17 Steven March 3, 2009

Hello guys, thanx for your valuable input however i need to make the php files created by my app rwxrwxr– by default.

How can I get to do that?

Reply

18 navin March 9, 2009

very helpful thanks a ton

Reply

19 Umask Executable March 17, 2009

Steven: Umask cannot typically be used to default new files to executable. You need to use chmod instead.

Reply

20 KAPIL AHIRE April 10, 2009

THANKS VIVEK

Reply

21 Abhinav Chittora May 4, 2009

I am using fedora9 and having trouble with system. when I create a file as root then the file have permission rw-rw—- I have to change permission each time….

I want to change umask but when I tried it with umask 000 then the default permission are rw-rw-rw- not rwxrwxrwx. I want the permission rwxrwxrwx how to set it as default?

Reply

22 kailas kadam May 5, 2009

this is very good site to understand umasks

Reply

23 senthilkumar.k June 18, 2009

The umask explanation is very useful for beginners
note :
directory default mask : 022
permission ( means rwx) : 777
actual permission value is : 777 – 022 = 755

Reply

24 doug June 19, 2009

execute permission is never defaulted on a file (hence 666 base) … it is defaulted for a directory (hence 777 base) so access to the directory is there.

so 027 does result in all r/w none for a file but all r/w/x none for a diretory.

Reply

25 doug June 19, 2009

for a file 000 and 111 are the same as 111 masks off execute permission and the base permission is 666 – 000 === 666 – 111.

Reply

26 doug June 19, 2009

oops 027 for a file is all r none no ‘w’

Reply

27 kurinchi blogger June 30, 2009

To return the default permission setting type umask with no options
$ umask
022

Having known the umask value, try creating a directory and a file and check what the file settings are

$ mkdir tempdir1

$ ls -l
drwxr-xr-x 2 root root 4096 2009-06-29 10:42 tempdir1

$ touch tempfile1

$ ls -l
drwxr-xr-x 2 root root 4096 2009-06-29 10:42 tempdir1
-rw-r–r– 1 root root 0 2009-06-29 10:43 tempfile1

Change the umask and again create a directory and a file and check the file permission settings

$ umask 027
$ umask
0027

$ mkdir tempdir2
$ ls -l
total 12
drwxr-x— 2 root root 4096 2009-06-29 10:40 tempdir2

Now the directory tempdir2 has a permission setting of 750

$ touch tempfile2
$ ls -l
drwxr-x— 2 root root 4096 2009-06-29 10:40 tempdir2
-rw-r—– 1 root root 0 2009-06-29 10:40 tempfile2

Now the file tempfile2 has a permission setting of 640

Now, let us see how the file permission settings are calculated using boolean expressions after we have issued a umask with 027.

For the directories, you need to take the 1’s complement of the umask value and perform a logical AND operation with 0777.

For e.g. consider the case where we have umask value of 027 – 0000 0000 0010 0111
1’s complement of 027 – 1111 1101 1000

For directories perform logical AND operation with 0777 (0000 0111 0111 0111). So

1111 1101 1000 (1’s complement of 027)
0111 0111 0111 (0777)
—————-
0111 0101 0000 = 0750

For files, perfom logical AND operation with 0666 (0000 0110 0110 0110), so

1111 1101 1000 (1’s complement of 027)
0110 0110 0110 (0666)
—————
0110 0100 0000 = 0640

Try different combinations on files, directories to get a clear picture on how umask is applied on files.

Reply

28 boilermaker October 12, 2011

Now there’s an explanation which makes total sense :)
Thanks Vivek, for inaugurating the topic. And thanks kurinchi blogger for explaining it fully.
I was getting hung up on Vivek’s post where he says – to calculate file permissions, subtract umask from 666 – the default permission for file. Except that sometimes umasks can be like 027, in which case you get a -ve number in the last octal?
“You can simply subtract the umask from the base permissions to determine the final permission for file as follows:
666 – 022 = 644″

Reply

29 vipin July 25, 2009

thanks sir

Reply

30 Dinesh Jadhav August 4, 2009

Hey all,
In /etc/profile is not accepting umask, You have to change in /etc/bashrc,

ther is a string umask 002 and umask 022 we have to cahnge that.

thats it…….

Reply

31 Zia September 28, 2009

Can we set umask values to 008 , if not why ?

Could you please answer this question .

Reply

32 Matt September 28, 2009

Subtract 8 from 7, what do you have? -1. That’s not valid.

Reply

33 Amit September 29, 2009

How can we convert .txt file into .sh file in unix , please answer.

Reply

34 kymera October 19, 2009

How can I set the default umask for users that are authenticated via Winbind connection?

Reply

35 ritz October 26, 2009

Hello, i’m a computer science student.
I needed a C language program for unmasking file permission.
Thanx

Reply

36 pallavee November 23, 2009

why umask value doesnot effect on home directory? Please help

Reply

37 Claude December 3, 2009

How to setup umask for users that can’t login (/sbin/nologin) like the “apache” user?

Reply

38 dORKO! March 30, 2010

zia, matt,

these are octal digits, you can not have a legitimate digit with value 8, only 0-7.

Reply

39 CT June 5, 2010

Isn’t that:
the default permission for directory is 777 while
the default permission for file is 666???

For file, if we do umask 077 or umask 066, we will get the same result???

Isn’t that we can never create a file with “x” permission pre-set?

I’m not tricking you,
I really want to ask.
I’m only a student who forgot almost everything my teacher taught (:P)
I just remember a little bit, and just checked on this on…

Please tell me if I’m wrong.. would love to correct my mind ^^
Best regards,
CT

Reply

40 rajib July 19, 2010

Hi kurinchi blogger i didn’t get that compliment method can u just help me on that ………….

Reply

41 sreedhar November 3, 2010

What a nice tutorial

Reply

42 yer32 November 27, 2010

the math involved with umask need to be done in bin not octal base. here it is
Example:
apply umask 033 to default file permissions.
default file permissions 666
default folder permissions 777
0666 = 000.110.110.110
0033 = 000.000.011.011
make complement of 0033 (consist in change all 0 to 1 and all 1 to 0)
complement of 0033 = 111.111.100.100
no apply AND between the default permission and the complement
(AND result 1 when both are 1 or 0 if any are 0)
default perms of 666 = 000.110.110.110
complement of 0033 = 111.111.100.100
—————————————————————–
AND result = 000.110.100.100

now convert the result to octal
0.6.4.4
644
this is to show that the operation is not using octal, it is using binary instead.

Reply

43 pdk February 25, 2011

In your last example, if umask value is 077 and default permission is 777 then the newly created value should have permission 700, that is the the file should be rwx by the owner, but in your case the permission bits 600.

IN the table, the last entry if umask value is 0027 and default value is 777, then the file should have permission 750 i.e. group should have read and execute permission ,but you wrote r/w permission.

Correct me if I am wrong.

Reply

44 themoon49 March 1, 2011

Hay Post’s owner thanks for your explaining

Reply

45 sameerdhiman March 16, 2011

Thank you for such a short and to the point write up. This helped a lot.

Thanks again.

Reply

46 Kiteman June 23, 2011

Hi,

How to implement a umask when using a program in a batch mode, when .profile or .bashrc is not loaded ?

Thanks for your help.

Regards.

Reply

47 Bishnu September 7, 2011

Very Useful. Thanks a lot.

Reply

48 Lawson September 8, 2011

I love this post keep it up please i need more tutorials about this cause i jst learnt it thanks!

Reply

49 Ashish Jaiswal September 22, 2011

There is a basic simple idea to calculate the umask

1) For file permission it is 666
2) For Directory Permission it is 777

So any umask setting is there just subtract it from the above mentioned values.

As an example

umask is set as 022

Then directory permission would be 777 – 022 so i.e 755
and file permission would be like 666 – 022 so i.e 644

As simple as this

you can put this value in /etc/bashrc /etc/login.defs or ./bashrc

Please post me if you have any more doubts on this

Reply

50 boilermaker October 27, 2011

Hey Ashish
Say the umask is 027. How would you apply that to determine file permissions?

Reply

51 Ashish October 27, 2011

Hello boilermaker,

I guess you have asked the same question, above in the same article…still you are not satisfied let me know about it…I will help you out..

Reply

52 freddie barron September 28, 2011

Ashish Jaiswal i agree with you 100% Then directory permission should always be 777 – 022 so i.e 755 while the file permission should be 666 – 022 so i.e 644

Reply

53 vijay November 7, 2011

what is yhe u mask vllue for dir

Reply

54 vulna November 11, 2011

Hi,
how can i set permission for folder which mount to drive to each user can not delete or modify other’s file and folder?
For instance in fstab:
/dev/sdb1 /any_where vfat uid=…,gid=…,umask=0002 0 0
Like as we use chmod -R +t folder to set permission to folder look like: drwxr-xr-t
So where and what i have to add parameter?
Thanks.

Reply

55 illimar November 22, 2011

Hey, can You please tell me how do I set umask for a certain user under Ubuntu? I do not want to set a global umask.

Reply

56 milli December 14, 2011

how can we change the Default value of Umask permanently?????
help me…..

Reply

57 usman maan January 8, 2012

hi…………
how to change umask value permanently in opensuse linux??????
plz reply……fast as u can………
thnxxxxxxxxx

Reply

58 Jim Trigg January 24, 2012

The final table has three errors. The first three rows calculate “7 – 2 = 4″ where they should calculate “7 – 2 = 5″. So the values in the final column should be 755, 751, 750, 700.

Reply

59 Vivek Gite January 25, 2012

Thanks for the heads up.

Reply

Leave a Comment

You can use these HTML tags and attributes for your code and commands: <strong> <em> <ol> <li> <u> <ul> <blockquote> <pre> <a href="" title="">
What is 15 + 11 ?
Please leave these two fields as-is:
Are you a human being? Solve the simple math so we know that you are a human and not a bot.




Previous post:

Next post: