TechEarl

Linux umask Explained (Default Permissions)

How umask subtracts from 666 and 777 to set the permissions new files and directories are born with, how to read it, and how to change it for a session or for good.

Ishan Karunaratne⏱️ 3 min readUpdated
Share thisCopied
How the Linux umask subtracts from 666 and 777 to decide the permissions new files and directories are created with, and how to change it.

chmod sets the permissions on a file that already exists. umask decides the permissions a new file is born with. It is a mask of bits to remove from the system defaults.

bash
umask          # show the current mask, e.g. 0022
Terminal showing umask output 0022, a new file created at 644, then umask 077 and a new file created at 600, demonstrating how the mask removes permission bits.
With umask 022 a new file is 644; with umask 077 it is 600. The mask is subtracted from the base mode.

The math

The base mode is 666 for files and 777 for directories (the system never grants execute on a new file automatically). The umask is subtracted from that:

umaskNew file (666 - mask)New dir (777 - mask)Who gets the new file
022644755owner writes, others read (the common default)
002664775owner and group write, others read (shared teams)
077600700owner only (private, good for sensitive work)
027640750owner writes, group reads, others nothing

So a umask of 022 is why your new files come out 644 and your new directories 755. It is not arithmetic subtraction exactly (it is a bitwise clear), but for the usual values it reads like subtraction.

Change it for this session

bash
umask 077        # everything you create now is owner-only
touch secret.txt # -> 600

The change lasts until the shell exits. It affects only files created after you set it, not existing ones.

Change it for good

Per-user, add it to your shell startup (~/.bashrc, ~/.zshrc, or ~/.profile):

bash
echo 'umask 077' >> ~/.bashrc

System-wide defaults live in /etc/login.defs (UMASK) and /etc/profile. A tighter umask is a cheap, broad hardening win, especially on shared machines: set 077 and new files are private by default instead of world-readable.

FAQ

Because the default umask is 022, which clears the write bit for group and other. New files start from a base of 666 and the mask removes 022, leaving 644. Directories start from 777 and become 755. Change the umask to change the result.

Set umask 077. New files then come out 600 (owner read/write only) and directories 700. Add umask 077 to your ~/.bashrc or ~/.zshrc to make it permanent for your account.

No. umask only affects the permissions of files created after it is set. To change files that already exist, use chmod. See Linux file permissions explained.

See also

Sources

Authoritative references this article was fact-checked against.

TagsLinuxumaskFile PermissionsShellSystem Administration

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Software Systems Architect · Senior Software Engineer · Engineering Leadership

Software systems architect and senior software engineer with more than two decades designing, building, and running production software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Now a CTO, though what I write here is drawn from the full arc of that work, across architecture, engineering, and operations, not any single job.

Keep reading

Related posts