chmod sets the permissions on a file that already exists. umask decides the permissions a new file is born with. It is a mask of bits to remove from the system defaults.
umask # show the current mask, e.g. 0022
The math
The base mode is 666 for files and 777 for directories (the system never grants execute on a new file automatically). The umask is subtracted from that:
| umask | New file (666 - mask) | New dir (777 - mask) | Who gets the new file |
|---|---|---|---|
022 | 644 | 755 | owner writes, others read (the common default) |
002 | 664 | 775 | owner and group write, others read (shared teams) |
077 | 600 | 700 | owner only (private, good for sensitive work) |
027 | 640 | 750 | owner writes, group reads, others nothing |
So a umask of 022 is why your new files come out 644 and your new directories 755. It is not arithmetic subtraction exactly (it is a bitwise clear), but for the usual values it reads like subtraction.
Change it for this session
umask 077 # everything you create now is owner-only
touch secret.txt # -> 600The change lasts until the shell exits. It affects only files created after you set it, not existing ones.
Change it for good
Per-user, add it to your shell startup (~/.bashrc, ~/.zshrc, or ~/.profile):
echo 'umask 077' >> ~/.bashrcSystem-wide defaults live in /etc/login.defs (UMASK) and /etc/profile. A tighter umask is a cheap, broad hardening win, especially on shared machines: set 077 and new files are private by default instead of world-readable.
FAQ
See also
- Linux file permissions explained: the rwx and octal model umask shapes.
- How to chmod recursively: fix the permissions on files that already exist.
- setuid, setgid, and the sticky bit: the special bits umask does not touch.
Sources
Authoritative references this article was fact-checked against.
