What is Umask and How To Setup Default umask Under Linux?

Anil ask a question (via email):

What is umask and how is it determined on a Linux system?


When user create a file or directory under Linux or UNIX, she create it with a default set of permissions. In most case the system defaults may be open or relaxed for file sharing purpose. For example, if a text file has 666 permissions, it grants read and write permission to everyone. Similarly a directory with 777 permissions, grants read, write, and execute permission to everyone.

Default umask Value

The user file-creation mode mask (umask) is use to determine the file permission for newly created files. It can be used to control the default file permission for new files. It is a four-digit octal number. A umask can be set or expressed using:

  • Symbolic values
  • Octal values

Procedure To Setup Default umask

You can setup umask in /etc/bashrc or /etc/profile file for all users. By default most Linux distro set it to 0022 (022) or 0002 (002). Open /etc/profile or ~/.bashrc file, enter:
# vi /etc/profile
OR
$ vi ~/.bashrc
Append/modify following line to setup a new umask:
umask 022
Save and close the file. Changes will take effect after next login. All UNIX users can override the system umask defaults in their /etc/profile file, ~/.profile (Korn / Bourne shell) ~/.cshrc file (C shells), ~/.bash_profile (Bash shell) or ~/.login file (defines the user’s environment at login).

Explain Octal umask Mode 022 And 002

As I said earlier, if the default settings are not changed, files are created with the access mode 666 and directories with 777. In this example:

  1. The default umask 002 used for normal user. With this mask default directory permissions are 775 and default file permissions are 664.
  2. The default umask for the root user is 022 result into default directory permissions are 755 and default file permissions are 644.
  3. For directories, the base permissions are (rwxrwxrwx) 0777 and for files they are 0666 (rw-rw-rw).

In short,

  1. A umask of 022 allows only you to write data, but anyone can read data.
  2. A umask of 077 is good for a completely private system. No other user can read or write your data if umask is set to 077.
  3. A umask of 002 is good when you share data with other users in the same group. Members of your group can create and modify data files; those outside your group can read data file, but cannot modify it. Set your umask to 007 to completely exclude users who are not group members.

But, How Do I Calculate umasks?

The octal umasks are calculated via the bitwise AND of the unary complement of the argument using bitwise NOT. The octal notations are as follows:

  • Octal value : Permission
  • 0 : read, write and execute
  • 1 : read and write
  • 2 : read and execute
  • 3 : read only
  • 4 : write and execute
  • 5 : write only
  • 6 : execute only
  • 7 : no permissions

Now, you can use above table to calculate file permission. For example, if umask is set to 077, the permission can be calculated as follows:

Bit Targeted at File permission
0 Owner read, write and execute
7 Group No permissions
7 Others No permissions

To set the umask 077 type the following command at shell prompt:
$ umask 077
$ mkdir dir1
$ touch file
$ ls -ld dir1 file

Sample outputs:

drwx------ 2 vivek vivek 4096 2011-03-04 02:05 dir1
-rw------- 1 vivek vivek    0 2011-03-04 02:05 file

Task: Calculating The Final Permission For FILES

You can simply subtract the umask from the base permissions to determine the final permission for file as follows:
666 – 022 = 644

  • File base permissions : 666
  • umask value : 022
  • subtract to get permissions of new file (666-022) : 644 (rw-r–r–)

Task: Calculating The Final Permission For DIRECTORIES

You can simply subtract the umask from the base permissions to determine the final permission for directory as follows:
777 – 022 = 755

  • Directory base permissions : 777
  • umask value : 022
  • Subtract to get permissions of new directory (777-022) : 755 (rwxr-xr-x)

How Do I Set umask Using Symbolic Values?

The following symbolic values are used:

  1. r : read
  2. w : write
  3. x : execute
  4. u : User ownership (user who owns the file)
  5. g : group ownership (the permissions granted to other users who are members of the file’s group)
  6. o : other ownership (the permissions granted to users that are in neither of the two preceding categories)

The following command will set umask to 077 i.e. a umask set to u=rwx,g=,o= will result in new files having the modes -rw——-, and new directories having the modes drwx——:
$ umask u=rwx,g=,o=
$ mkdir dir2
$ touch file2
$ ls -ld dir2 file2

Sample umask Values and File Creation Permissions

If umask value set to User permission Group permission Others permission
000 all all all
007 all all none
027 all read / execute none

all = read, write and executable file permission

Limitations of the umask

  1. The umask command can restricts permissions.
  2. The umask command cannot grant extra permissions beyond what is specified by the program that creates the file or directory. If you need to make permission changes to existing file use the chmod command.

umask and level of security

The umask command be used for setting different security levels as follows:

umask value Security level Effective permission (directory)
022 Permissive 755
026 Moderate 751
027 Moderate 750
077 Severe 700

For more information about the umask read the man page of bash or ksh or tcsh shell:
man bash
help umask
man chmod

Updated for accuracy!

🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
109 comments… add one
  • Don Sep 21, 2020 @ 8:41

    Because you suggested to modify /etc/bashrc or /etc/profile directly

    This is in my /etc/bashrc:


    # It's NOT a good idea to change this file unless you know what you
    # are doing. It's much better to create a custom.sh shell script in
    # /etc/profile.d/ to make custom changes to your environment, as this
    # will prevent the need for merging in future updates.

    For the sake of a tutorial it is sometimes a good idea to simplify things. Problems is, these things get duplicated and then you have bad practices everywhere …

  • MaxiReglisse Aug 7, 2020 @ 9:18

    I needed to create a .bash_profile for .bashrc to take effect.

    # .bash_profile
    if [ -f ~/.bashrc ]; then
    	. ~/.bashrc
    fi
    
  • Ashutosh Sep 25, 2017 @ 14:03

    I have a question related to default permissions for a different type of files and directories.
    We say that For directories, the base permissions are (rwxrwxrwx) 0777 ….

    and then you calculated:
    and similarly For test files,the base permissions are 666 and for executable files are 777 and then you calculate.

    From Where a process which is creating the files or directories is taking these base permissions and then applying umask.
    Also is there a way to change the base permissions a process should take (say a process created similar to touch ) and then assign these base permissions

  • Anatoly Jul 28, 2017 @ 6:56

    Too sophisticated explanation. But the matter is very simple. There a to operations where used umask: create dir or create file. Some types of creations may have a special parameter to set mode. It don’t conсern umask. Mode set in this cases as pointed in this parameters. All others do. There is a base mode for dirs 0777 anf for files 0666. If you set umask not 0 result mode is = base mod XOR umask. That is all. I can’t see this in expalnation. wrote base mode – umask(???) It’s wrong… Operation is XOR nothing else. So you just write bits to be reset in result. 2 or 4 for files means reset rules for write and read and for dirs too. 1 acts only for dirs. if you point 1 add 4 too because of reset run for dis useless without reading its content. Or you get situation when you may enter in dir but can’t read its content. Usual value is
    o22 or 027. Set the second for home dir content and nobody except user from your primary group can’t enter in your home dir. Set 077 to forbid all but you and root of course enter… There are 4 number is first digits. Some OS-s have base mod not 0666 & 0777 but 06666 & 07777. You may reset also sgid and suid. So you must set fourth number too.
    I don’t know what else can say about it. It’s all…

  • roy Mar 1, 2016 @ 1:46

    Thank you very much owner for the Info. Also thanks for all the comments, which also helped.

  • Babu Jan 10, 2016 @ 12:54

    Thanks.it’s really useful for me.

  • Fatboss Oct 1, 2015 @ 18:51

    @tcoupe

    By default, umask = 000, and this sets permissions to 777 for directories and 666 for files.
    Meaning that umask = 111, sets 666 for directories and 555 for files.
    You can’t set 644/444 using umask. Its either 644 / 533 (133) or 555 / 444 (222) – both of which make no sense.

    There are only handful umasks that make sense. Those have values of 0, 2 or 7. ALL other values produce anomalous effects.
    For example, “2/w” on files or directories (from umask 5 and 4) results in directories that are writeable, but not accessible (“1/x” bit); or files that are only writeable.

    Umask of 6 produce “1/x” value on directories, which means – execute rights of contained objects – yet reading or writing in same directory not possible. On files it will produce 0 (no rights). A 111 on dirs/000 on files can make sense – for making secretly accessed directories (which still can be bruteforced). Example – below. But there is no sense to create this as uname. Such directories are created manually as needed.

    /somedir(644)/somesecretdir(111)/supersecretlongname123(644)/a_file(644).
    autocompletion: ls /somedir/somesecretdir/ will not work.
    listing: ls -alh /somedir/somesecretdir/ will not work.

    all, because somesecretdir directory has no “4/r” on it (to read contents), yet has “1/x” to execute rights of contained objects. But:
    ls -alh /somedir/somesecretdir/supersecretlongname123/
    cat /somedir/somesecretdir/supersecretlongname123/a_file

    will work, because we supply fully correct name “supersecretlongname123”.

    Finally, umask of 3 will produce very strange results – directories with “4/r”, means their contents still can’t be accessed – just filenames listed; and “2+1/-wx” on files, – files which can be written to(and copied around) and accessed, but not displayed.

    So stick to umask values of 0,2,7: 000, 002, 022, 027, 007, 077. Everything outside makes zero sense.

    • fatboss Oct 2, 2015 @ 20:07

      Correction: “But there is no sense to create this as uname.” above should mean “But there is no sense to create this as umask.” of course.

  • tcoupe Sep 2, 2015 @ 14:47

    What if I want to set up file permissions to be equal to r–,r–,r– (444) and directory permissions to be rw-,r–,r– (644) ? What would be the umask value setting? I’ve tried umask 222 which came out good for files but for directories it equals 555. Alternately, I’ve tried umask 133 which gives me 644 for files which is not what I want but it gives me 644 for directories which is good.

    If anyone can figure out what the umask value should be to equal 444 for files and 644 for directories, Please let me know.

  • ankush Apr 16, 2015 @ 13:20

    Hi,

    Is there a way we can change the umaskmode for individual users?

    Example:
    Any directory/file created by srv-test user would have a umask of 002 results if dir/file permissions of rwxrwxr-x.

    system wide setting remain same i.e 022.

    Please suggest.

  • model Dec 10, 2014 @ 8:29

    hi why i am not able to set umask for setuid or setgid or sticky bit ? for e.g when running umask 2002 i am getting error as `umask 2002 octal number out of range`.
    but my question is first bit is to set for special permission (suid,sgid, or sticky bit ) then why i am not able to set the above umask and getting error ? same is going on for umask 4002 or 1002.if we can not set then what is the meaning of of that first bit in umask ? can somebody please explain

  • model Dec 10, 2014 @ 8:14

    i am not getting how umask is calculated for files for e.g
    when umask is – 333 , 666-333=333 but as i know umask doesnt allow execute permission for files so it can’t be 333 at least. but then why its creating as 444 and why not 222. how’s its calculating to create it as 444 ?
    another example is when umask is – 111, 666-111=555 but as said it can’t be 555 and file is getting created as 666. how come and why not 444. how it is calculating this ?
    Can somebody explain me this in simple language.

  • Yordan Georgiev Aug 15, 2014 @ 4:59

    http://en.wikipedia.org/wiki/Umask#Exceptions
    for bit in {0..7} ; do umask 000$bit; touch 000$bit ; echo on umask set to `umask` `umask -S` `stat -c “%A %n” 000$bit`; done | column -t

  • droope Apr 22, 2014 @ 0:10

    Good article, thanks!

  • Sepahrad Salour Mar 18, 2014 @ 6:01

    Very useful, Thanks a lot 🙂

  • Dan Feb 5, 2014 @ 14:14

    Very good explanation. Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.