Umask Command in Linux

Using umask utility, you can view or set the file mode creation mask that determines permissions for newly created files or directories.
It is used by mkdir, touch, tee and other commands that create new files and directories.

Linux Permissions#

In Linux, every file have it’s owner and a group and given a set of permission and access rights in three different ways:

• the file owner.
• the group members.
• everybody else.

There are three permissions types that apply to each class:

• the read permission.
• the write permission.
• the execute permission.

This allows you to specify which users are allowed to read the file, write to the file, or execute the file.

You can view the existing file permission using ls command:

ls -l dirname

drwxr-xr-x 12 tecnstuff users 4.0K Aug  8 20:51 dirname
|[-][-][-]    [------] [---]
| |  |  |        |       |       
| |  |  |        |       +-----------> Group
| |  |  |        +-------------------> Owner
| |  |  +----------------------------> Others Permissions
| |  +-------------------------------> Group Permissions
| +----------------------------------> Owner Permissions
+------------------------------------> File Type

The first character represents the file type which can be regular file (-), directory (d), symbolic link (l) or any other special type of file.

After that the next nine characters represent the permissions, three sets of three characters each. The first sets show the owner permissions, the second one group permissions, and the last set shows everybody else permissions.

Character r with an octal value of 4 stands for read, w with an octal value of 2 for write, x with an octal value of 1 for execute permission and (-) with octal value of 0 for no permissions.

There are also three other special file permissions types: setuid, setgid and Sticky Bit.

In this example above you can see there is rwxr-xr-x that means the owner has read, write and execute permissions (rwx), the group and others have read and execute permissions. In numeric notation the file permission can be represent to 755.

• Owner: rwx = 4+2+1 = 7
• Group: r-x = 4+0+1 = 5
• Other: r-x = 4+0+1 = 5

In numeric notation, permission can have three or four octal digits (0-7). Here, the first digit represents the special permission and if it is omitted that means there is no special permission for that file. In above example the numeric file permission 755 is same as 0755.

You also can change the file permission and ownership using the chmod and chown command respectively.

Understanding umask#

On Linux system, the default creation permission are 666 for files, that means it allows read and write to user, group, and others. While 777 for the directory, which means it allows read, write and execute permission to the user, group and others. By default, the Linux doesn’t allow a file to be created with execute permission.

If you would like to change the default file creation permission, you can modified using umask utility.

Generally, in most Linux distributions the default umask value is set in the pam_umask.so or /etc/profile file. You can also change the current session umask value by running umask followed by the desired value. The umask affects only the current shell environment.

You can view the current mask value just by typing the umask command without any options:

umask

It will show you output like this:

022

As we shown previously, the default creation permissions for files are 666 and for directories 777. To calculate the permission bits of the new files subtract the umask value from the default value.

For example, to understand that how umask 022 will affect newly created files and directories:

• Files: 666 - 022 = 644. The owner can read and modify the files. Group and others can only read the files.
• Directories: 777 - 022 = 755.The owner can cd into the directory and list read, modify, create or delete the files in the directory. Group and others can cd into the directory and list and read the files.

To display the mask value in symbolic notation, use the -S option:

umask -S

u=rwx,g=rx,o=rx

Setting the mask value#

You can make the permanent changes for umask value in global configuration file like /etc/profile file. That will will affect all users or in a user’s shell configuration files such as ~/.profile, ~/.bashrc or ~/.zshrc which will affect only the user.

Make sure before changes to umask, that it should not create any security risk to the system.

For example, to set restrictive permission for newly created files and directories, the permission should 750 for directories and 640 for files.

As we seen you can cross check the permission by subtract the desired permissions from the default one:

Umask value: 777-750 = 027

The desired umask value represented in numeric notation is 027.

Open the /etc/profile file with your text editor to permanently set the new value:

sudo nano /etc/profile

Add or change the following line at the beginning of the file:

umask 027

After that you should run the source command for changes to take effect:

source /etc/profile

Alternatively, you can logout and again login to get the effect of changes.

To test the changes we will create a new file and directory using mkdir and touch command:

mkdir testdir

touch testfile

Now we will check the permission of file and directory using the ls command and you can see that file has 640 and directory has 750 permission:

drwxr-x--- 2 tecnstuff users 4096 Jul  4 18:14  testdir
-rw-r----- 1 tecnstuff users    0 Jul  4 18:14  testfile

Conclusion#

In this article explained how to use the umask command and change default permission for newly created files and directories in Linux.

If you have any questions or feedback, please leave a comment below.