chmod sets the permissions on a file that already exists. umask decides the permissions a new file is born with. It is a mask of bits to remove from the system defaults.
umask # show the current mask, e.g. 0022
The math
The base mode is 666 for files and 777 for directories (the system never grants execute on a new file automatically). The umask is subtracted from that:
| umask | New file (666 - mask) | New dir (777 - mask) | Who gets the new file |
|---|---|---|---|
022 | 644 | 755 | owner writes, others read (the common default) |
002 | 664 | 775 | owner and group write, others read (shared teams) |
077 | 600 | 700 | owner only (private, good for sensitive work) |
027 | 640 | 750 | owner writes, group reads, others nothing |
So a umask of 022 is why your new files come out 644 and your new directories 755. It is not arithmetic subtraction exactly (it is a bitwise clear), but for the usual values it reads like subtraction.
Change it for this session
umask 077 # everything you create now is owner-only
touch secret.txt # -> 600The change lasts until the shell exits. It affects only files created after you set it, not existing ones.
Change it for good
Per-user, add it to your shell startup (~/.bashrc, ~/.zshrc, or ~/.profile):
echo 'umask 077' >> ~/.bashrcSystem-wide defaults live in /etc/login.defs (UMASK) and /etc/profile. A tighter umask is a cheap, broad hardening win, especially on shared machines: set 077 and new files are private by default instead of world-readable.
FAQ
Because the default umask is 022, which clears the write bit for group and other. New files start from a base of 666 and the mask removes 022, leaving 644. Directories start from 777 and become 755. Change the umask to change the result.
Set umask 077. New files then come out 600 (owner read/write only) and directories 700. Add umask 077 to your ~/.bashrc or ~/.zshrc to make it permanent for your account.
No. umask only affects the permissions of files created after it is set. To change files that already exist, use chmod. See Linux file permissions explained.
See also
- Linux file permissions explained: the rwx and octal model umask shapes.
- How to chmod recursively: fix the permissions on files that already exist.
- setuid, setgid, and the sticky bit: the special bits umask does not touch.
Sources
Authoritative references this article was fact-checked against.





