What’s behind the Linux umask?

The Linux umask setting plays a big role in determining the permissions that are assigned to files that you create. But what’s behind this variable, and how do the numbers relate to settings like rwxr-xr-x?

First, umask is a setting that directly controls the permissions assigned when you create files or directories. Create a new file using a text editor or simply with the touch command, and its permissions will be derived from your umask setting. You can look at your umask setting simply by typing umask on the command line.

$ umask
0022

Where the umask setting comes from

The umask setting for all users is generally set up in a system-wide file like /etc/profile, /etc/bashrc or /etc/login.defs — a file that’s used every time someone logs into the system. The setting can be overidden in user-specific files like ~/.bashrc or ~/.profile since these files are read later in the login process. It can also be reset on a temporary basis at any time with the umask command.

$ grep ^UMASK /etc/login.defs
UMASK           022
$ umask 002
$ umask
0002

The point of umask settings is to make sure your files have the permissions that you want by default. You can always chmod a file, but you won’t have to do that very often if the files by default have the permissions you want. In setting the default permission, you decide whether other people in the same group or anyone who logs into the system can read your files.

What does it mean to be a “mask”?

The umask settings are actually something of an inversion of the permissions they will create. A 0 in a netmask might yield a 7 for the resultant permissions, where a 7 in a netmask would yield a 0. Thus, 777 is the most restrictive umask setting, and 000 is the most permissive.

Create a new file when your umask setting is 777 and you won’t even be able to look at it yourself — at least not without first changing its permissions.

$ umask 777
$ touch newfile
$ cat newfile
cat: newfile: Permission denied
$ ls -l newfile
---------- 1 shs shs 0 Sep 14 15:30 newfile

Each bit in the umask setting corresponds to a bit in the permissions to be used. While 777 represents rwxrwxrwx for chmod, it sets the permissions on files or directories that are created to ———.

Making a new directory:

$ umask 022
$ mkdir newdir
shs@stinkbug:~$ ls -ld newdir
drwxr-xr-x 2 shs shs 4096 Sep 14 15:42 newdir

Creating a file:

$ touch newfile
$ ls -l newfile
-rw-r--r-- 1 shs shs 0 Sep 14 15:30 newfile

The important difference — files are never given execute permission unless specifically requested. So, if your umask is 022, you will notice that the permissions are similar for files and directories, but the files lack execute permissions across the board.

It helps to remember that numeric permissions when used in commands such as chmod 750 are expressed in octal, so 0 in some umask field means 000 — no read, write, or execute rights — and 7 means 111 — all permissions.

0 = 000 = ---
1 = 001 = --x
2 = 010 = -w-
3 = 011 = -wx
4 = 100 = r--
5 = 101 = r-x
6 = 110 = rw-
7 = 111 = rwx

Going from octal umask values to the permissions that will be set on directories and individual files, we get this:

             dirs   files
0 = 000 =>    rwx    rw-
1 = 001 =>    rw-    rw-
2 = 010 =>    r-x    r--
3 = 011 =>    r--    r--
4 = 100 =>    -wx    -w-
5 = 101 =>    -w-    -w-
6 = 110 =>    --x    ---
7 = 111 =>    ---    ---

Umask settings of 022 (deny write access to others in group and those outside the group) and 002 (deny write access to anyone outside the group) are most common, but 077 is better if you want to be sure that no one has access to your files by default.