The umask command in Linux: set default permissions

Posted onbyBlockmyIP| Category:Linux terminal commands

Introduction

In Unix-type systems, each file and directory has a set of permissions that determine who can read, write or run the resource. When a new file is created, the kernel assigns initial permissions that are then modified by the file creation mask, known as umask. This command allows to define by default which permission bits should be removed, ensuring that new resources have the desired level of access without the need to intervene manually after creation.

What's umask?

The term umask comes from 'user file-creation mode mass'. This is an octal (or symbolic) value that indicates which permissions should be denied when creating a file or directory. The kernel part of a base permit — normally 666 for files and 777 for directories — And they have the umask mask. The result is the set of final permits that will apply to the new resource.

How the calculation works

To understand the process, imagine that the system is part of the maximum permissions:

  • Files: 666 (rw- rw- rw-)
  • Directories: 777 (rwx rwx rwx)

If your umask is 022, the calculation would be:

  • File: 666 − 022 = 644 (rw- r- r-)
  • Directory: 777 − 022 = 755 (rwx r-x r-x)

The bits that appear in the mask are removed from the base permissions; any bit that is not in the mask is preserved.

Common values and examples

Some common umask values and their effects:

  • 002 → files 664, directories 775 (ideal for group environments where all group members can write)
  • 022 → files 664, directories 755 (default value in many distributions)
  • 077 → 600 files, 700 directories (maximum privacy, only the owner can read, write or run)
  • 000 → files 666, directories 777 (no restrictions, rarely recommended for security reasons)

To see the current umask, just runumaskAt the terminal. To change it temporarily in the current session, useumask 002. The new value will affect all files and directories created until the session is closed or another umask is reestablished.

Change umask permanently

If you want the umask to be applied every time you log in, you should add it to one of the shell initialization files. For example, for Bash:

  • Add the lineumask 002at the end~/.bashrcor~/.profile.
  • After saving, recharge the configuration withsource ~/.bashrcor open a new terminal.

In systems that use Zsh, the corresponding file is~/.zshrc. In multi-user environments, administrators can define umask globally in/etc/profileor/etc/bash.bashrc, affecting all users who do not overwrite the value in their personal configuration.

Good practices and advice

  • Evaluate the environment: on shared servers, a 002 or 007 umask helps to maintain collaboration without exposing data to other users.
  • In individual work teams, a 077 umask provides greater confidentiality.
  • Avoid using too permissive values like 000; they can leave legible or scribable files by anyone, which represents a security risk.
  • Remember that umask only affects the creation of new resources; existing file permissions are not automatically modified.
  • If you need to apply specific permissions after creation, combine umask withchmodor use ACLs for more granular control.

Dominating the umask command allows you to centrally and predictably control the permissions of the files and directories it generates, improving both the organization and security of your Linux system.

This work is under aCreative Commons License Attribution 4.0 International for Francesc Roig francesc @ vivaldi.net.

EnglishenEnglishEnglish
SpanishesSpanishEspañolEnglishenEnglishEnglish