In this lesson we’re going to talk about how to work with default Linux permissions (umask command).
In my previous articles, I had explained following concepts and I would request you to read that guide first.
Table of Contents
Default Linux Permissions
Now you may have noticed that whenever you create a new file or a new directory in the Linux file system a default set of permissions is automatically assigned to that file or directory for you.
Now understand that by default Linux assigns read
, write
to Owner, read
, write
to Group and read
, write
to Others whenever a file is created in the file system.
And we represent those permissions numerically as 666
.
If you create a new directory in the file system then by default Linux is going to assign read
, write
and execute
to the directory Owner, read
, write
, and execute
to the Owning Group and read
, write
, execute
to all Other Users in the system.
Now be aware that, these aren’t actually the real permissions that a file or directory will end up with when you create it in the file system.
Let’s take a look at an example.
So, let’s suppose I were to create a new directory within my home directory, and we’ll name it mydata.
And within that directory I’m going to create a new file called file.txt.
Now based upon what we just looked at, the mydata directory should have a mode of drwx-rwx-rwx
and the file.txt file should have a mode of -rw-rw-rw-
.
But notice here that this is not the case.
# touch file.txt
# mkdir mydata
# ls -l
-rw-r--r--. 1 root root 0 Mar 22 00:15 file.txt
drwxr-xr-x. 2 root root 6 Mar 22 00:16 mydata
Notice that the mydata directory has a mode of read
, write
, execute
to the Owner, read
and execute
to the Owning Group and read
and execute
to the Others which is basically a mode of 755
.
For the file.txt we grant read
and write
permissions to Owner and we grant read
permissions to Group and Others.
Understanding umask
Now you should have noticed that these are not the default permissions that Linux was supposed to assign to this file and directory.
Why did this happen?
The key thing to remember is that the default permissions Linux wants to assign to files and directories when they create in the filesystem are just too liberal.
If you think about it, the default directory mode would allow anybody on the system to enter any directory on the file system and delete any files that they wanted to.
Likewise, the default file mode would allow any user on the system to modify anybody else’s files that they created.
Think about the nightmare situation that would be from a security standpoint.
To increase the overall security of the system, Linux uses a variable called umask
to automatically remove permissions from the default mode that Linux wants to assign whenever a file or directory is created in the file system.
How to check umask value
Now the value of umask
is a three-digit number and you can view it by running the umask command at the shell prompt.
$ umask
0022
Alternatively you can use the uppercase -S
option with umask command to display the umask
value in symbolic notation.
# umask -S
u=rwx,g=rx,o=rx
And when you do, you actually see four digits, ignore that first one for our purposes today we want to focus on the last three digit that is 022
.
Now depending upon your Linux distribution, the default value of umask
will be either 022
or 002
.
I’ve seen both used. Remember each digit represents a numeric permission that will be removed from the default permissions assigned by Linux.

So, the first digit in the umask
variable represents permissions that will be removed from the file or directory Owner will represent as u
.
The second digit as you might guess represents the permissions that will be removed from the Owning Group.
And the last digit represents permissions that will be removed from Others on the system.
An example of how umask
works is shown here.
### Effect of umask on Directories ###
Default Mode: rwxrwxrwx
Minus permissions removed by umask: ----w--w-
Effective permissions assigned: rwxr-xr-x
### Effect of umask on Files ###
Default Mode: rw-rw-rw-
Minus permissions removed by umask: ----w--w-
Effective permissions assigned: rw-r--r--
Now the distribution that I ran the umask command on previously had a umask
variable of 022
.
Which means the write
(2
) permission is removed from Group and Others and 0
means nothing’s removed from the Owner.

So, let’s say we create a new directory in the file system.
By default, Linux wants to grant read
, write
, and execute
to every entity: User, Group, and Others.
But because of the value of umask
, we subtract the w
(Write) permission from Group and Others. The resulting mode the effective permissions that will then be assigned is shown here:
- We have
read
,write
, andexecute
being granted to the Owner. - But because we subtracted the
w
permission viaumask
, Group and Others only getread
andexecute
.
Likewise, if we create a file in the file system, again Linux wants to decide read
and write
permissions to that file for Owner, Group, and Others.
But because of the value of umask
we’re going to remove the write
permission from Group and Others. The effective permission then is read
and write
for Owner and only read
for Group and Others.
How to change default umask values
Now the default value of umask
usually works for most of Linux administrators.
But there may be situations where you need to either tighten up most likely or possibly loosen not likely the permissions that are assigned to files or directories when they’re created in the file system.
To do this you simply change the value that’s assigned to umask
.
There’s two different ways you can do this.
How to temporarily change your umask value
First if you only need to make a temporary change to umask
you simply enter umask
at the shell prompt followed by the numeric permissions that you want subtracted from the default permissions that will be automatically assigned to both files and directories.
Example #1
if we wanted to remove the read
(4
), write
(2
), and execute
(1
) permission that’s automatically assigned to Others whenever a new directory is created, we would specify a 7
in the last spot.
# umask 027
Now with this new value of umask
that is 027
, I’ve created a new folder named mydata at the shell prompt and here is the result.
# ls -l
drwxr-x---. 2 root root 6 Mar 22 09:53 mydata
Alternatively you can also use Symbolic notation instead of Numeric notation to set the umask
value. Here is an example.
# umask u=rwx,g=rx,o=
Above command is similar to umask 027
.
Example #2
And let’s further suppose that we want to remove the read
(4
) and write
(2
) permission that’s automatically assigned to Group whenever you create a new file or directory in the file system, we would specify a 6
in the second spot.
But we want to not touch Owner, we want the default permissions assigned to Owner to remain intact, so we’ll use a 0
for the first value in the mode.
# umask 067
This will cause the read
permission which has value 4
and write
permission which has a value of 2
which sum together equal 6
to be removed from Group upon creation of a file or directory.
And it will also remove read
which has value 4
, write
which has value 2
and execute
which has a value of 1
which sum together equal 7
from Others.
Now with this new value of umask
remember at 067
, I’ve created a new folder and a new file at the shell prompt.
# ls -l
-rw-------. 1 root root 0 Mar 22 10:06 file.txt
drwx--x---. 2 root root 6 Mar 22 10:06 mydata
Now notice that the effective permissions that have been assigned to that directory and folder are different than they were before.
Now we still have a 0
for Owner therefore no permissions are subtracted from the default permissions for the directory or for the file.
How to permanently change your umask value
Now this method for modifying the umask
variable works great but be aware that it is not persistent.
If I were to restart the system, then umask
would revert to its original values.
That’s because umask
is usually automatically set each time the system boots using the umask
parameter in either of these files depending upon which distribution you’re using.
/etc/profile
/etc/login.defs
So, if you want to make your change to umask
permanent you need to go in and edit the appropriate configuration file in a text editor and set the value of umask
to your desired value.
You can visit at following websites to get more information on umask
.
Conclusion
I hope that now you have a good understanding of how umask works and you have some ideas for how you can use this within your workflow.
If anyone does have any questions about what we covered in this guide then feel free to ask in the comment section below and I will do my best to answer those.