Umask Command in Linux with Examples

In this lesson we’re going to talk about how to work with default Linux permissions (umask command).

In my previous articles, I had explained following concepts and I would request you to read that guide first.

Default Linux Permissions

Now you may have noticed that whenever you create a new file or a new directory in the Linux file system a default set of permissions is automatically assigned to that file or directory for you.

Now understand that by default Linux assigns read, write to Owner, read, write to Group and read, write to Others whenever a file is created in the file system.

And we represent those permissions numerically as 666.

If you create a new directory in the file system then by default Linux is going to assign read, write and execute to the directory Owner, read, write, and execute to the Owning Group and read, write, execute to all Other Users in the system.

Now be aware that, these aren’t actually the real permissions that a file or directory will end up with when you create it in the file system.

Let’s take a look at an example.

So, let’s suppose I were to create a new directory within my home directory, and we’ll name it mydata.

And within that directory I’m going to create a new file called file.txt.

Now based upon what we just looked at, the mydata directory should have a mode of drwx-rwx-rwx and the file.txt file should have a mode of -rw-rw-rw-.

But notice here that this is not the case.

# touch file.txt
# mkdir mydata

# ls -l
-rw-r--r--. 1 root root 0 Mar 22 00:15 file.txt
drwxr-xr-x. 2 root root 6 Mar 22 00:16 mydata

Notice that the mydata directory has a mode of read, write, execute to the Owner, read and execute to the Owning Group and read and execute to the Others which is basically a mode of 755.

For the file.txt we grant read and write permissions to Owner and we grant read permissions to Group and Others.

Understanding umask

Now you should have noticed that these are not the default permissions that Linux was supposed to assign to this file and directory.

Why did this happen?

The key thing to remember is that the default permissions Linux wants to assign to files and directories when they create in the filesystem are just too liberal.

If you think about it, the default directory mode would allow anybody on the system to enter any directory on the file system and delete any files that they wanted to.

Likewise, the default file mode would allow any user on the system to modify anybody else’s files that they created.

Think about the nightmare situation that would be from a security standpoint.

To increase the overall security of the system, Linux uses a variable called umask to automatically remove permissions from the default mode that Linux wants to assign whenever a file or directory is created in the file system.

How to check umask value

Now the value of umask is a three-digit number and you can view it by running the umask command at the shell prompt.

$ umask 
0022

Alternatively you can use the uppercase -S option with umask command to display the umask value in symbolic notation.

# umask -S
u=rwx,g=rx,o=rx

And when you do, you actually see four digits, ignore that first one for our purposes today we want to focus on the last three digit that is 022.

Now depending upon your Linux distribution, the default value of umask will be either 022 or 002.

I’ve seen both used. Remember each digit represents a numeric permission that will be removed from the default permissions assigned by Linux.

umask Variable
umask Variable

So, the first digit in the umask variable represents permissions that will be removed from the file or directory Owner will represent as u.

The second digit as you might guess represents the permissions that will be removed from the Owning Group.

And the last digit represents permissions that will be removed from Others on the system.

An example of how umask works is shown here.

 ### Effect of umask on Directories ###

                      Default Mode:  rwxrwxrwx
Minus permissions removed by umask:  ----w--w-
    Effective permissions assigned:  rwxr-xr-x
 ### Effect of umask on Files ###

                      Default Mode:  rw-rw-rw-
Minus permissions removed by umask:  ----w--w-
    Effective permissions assigned:  rw-r--r--

Now the distribution that I ran the umask command on previously had a umask variable of 022.

Which means the write(2) permission is removed from Group and Others and 0 means nothing’s removed from the Owner.

umask Variable Distribution
umask Variable Distribution

So, let’s say we create a new directory in the file system.

By default, Linux wants to grant read, write, and execute to every entity: User, Group, and Others.

But because of the value of umask, we subtract the w(Write) permission from Group and Others. The resulting mode the effective permissions that will then be assigned is shown here:

  • We have read, write, and execute being granted to the Owner.
  • But because we subtracted the w permission via umask, Group and Others only get read and execute.

Likewise, if we create a file in the file system, again Linux wants to decide read and write permissions to that file for Owner, Group, and Others.

But because of the value of umask we’re going to remove the write permission from Group and Others. The effective permission then is read and write for Owner and only read for Group and Others.

How to change default umask values

Now the default value of umask usually works for most of Linux administrators.

But there may be situations where you need to either tighten up most likely or possibly loosen not likely the permissions that are assigned to files or directories when they’re created in the file system.

To do this you simply change the value that’s assigned to umask.

There’s two different ways you can do this.

How to temporarily change your umask value

First if you only need to make a temporary change to umask you simply enter umask at the shell prompt followed by the numeric permissions that you want subtracted from the default permissions that will be automatically assigned to both files and directories.

Example #1

if we wanted to remove the read (4), write (2), and execute (1) permission that’s automatically assigned to Others whenever a new directory is created, we would specify a 7 in the last spot.

# umask 027

Now with this new value of umask that is 027, I’ve created a new folder named mydata at the shell prompt and here is the result.

# ls -l
drwxr-x---. 2 root root 6 Mar 22 09:53 mydata

Alternatively you can also use Symbolic notation instead of Numeric notation to set the umask value. Here is an example.

# umask u=rwx,g=rx,o=

Above command is similar to umask 027.

Example #2

And let’s further suppose that we want to remove the read (4) and write (2) permission that’s automatically assigned to Group whenever you create a new file or directory in the file system, we would specify a 6 in the second spot.

But we want to not touch Owner, we want the default permissions assigned to Owner to remain intact, so we’ll use a 0 for the first value in the mode.

# umask 067

This will cause the read permission which has value 4 and write permission which has a value of 2 which sum together equal 6 to be removed from Group upon creation of a file or directory.

And it will also remove read which has value 4, write which has value 2 and execute which has a value of 1 which sum together equal 7 from Others.

Now with this new value of umask remember at 067, I’ve created a new folder and a new file at the shell prompt.

# ls -l
-rw-------. 1 root root 0 Mar 22 10:06 file.txt
drwx--x---. 2 root root 6 Mar 22 10:06 mydata

Now notice that the effective permissions that have been assigned to that directory and folder are different than they were before.

Now we still have a 0 for Owner therefore no permissions are subtracted from the default permissions for the directory or for the file.

How to permanently change your umask value

Now this method for modifying the umask variable works great but be aware that it is not persistent.

If I were to restart the system, then umask would revert to its original values.

That’s because umask is usually automatically set each time the system boots using the umask parameter in either of these files depending upon which distribution you’re using.

  • /etc/profile
  • /etc/login.defs

So, if you want to make your change to umask permanent you need to go in and edit the appropriate configuration file in a text editor and set the value of umask to your desired value.

You can visit at following websites to get more information on umask.

Conclusion

I hope that now you have a good understanding of how umask works and you have some ideas for how you can use this within your workflow.

If anyone does have any questions about what we covered in this guide then feel free to ask in the comment section below and I will do my best to answer those.

If you like our content, please consider buying us a coffee.

Buy Me A Coffee

We are thankful for your never ending support.

Leave a Comment