Umask Command in Linux

Introduction

All new files on Linux and Unix operating systems are created with default permissions. The umask utility displays or changes the file mode creation mask, which controls the permissions bits for newly created files and directories.

It's used by operations like mkdir, touch, and tee to create new files and directories.

In this tutorial, you will understand umask command in Linux. We will also address a few FAQs on Umask Command in Linux.

Linux Permissions

Before we go any further, let's take a quick look at the Linux permissions paradigm.

Each file in Linux is allocated an owner and a group, as well as permission access permissions for three main types of users:

The owner of the file.
Members of the group.
Everyone else is out.

Each class has three different sorts of permissions:

The read permission.
The write permission.
The execute permission.

This notion allows you to designate which users have permission to read, write, or execute the file.

Use the ls command to see the file permissions:

ls -l dirname

Output

drwxr-xr-x 12 linuxize users 4.0K Apr  8 20:51 dirname
|[-][-][-]    [------] [---]
| |  |  |        |       |       
| |  |  |        |       +-----------> Group
| |  |  |        +-------------------> Owner
| |  |  +----------------------------> Others Permissions
| |  +-------------------------------> Group Permissions
| +----------------------------------> Owner Permissions
+------------------------------------> File Type

The file type is indicated by the first character, which can be a standard file (-), a directory (d), a symbolic link (l), or any other specific form of a file.

The permissions are represented by the next nine characters, which are divided into three groups of three characters each. The first set displays owner permissions, the second group permissions, and the third set displays permissions for everyone else.

Read is represented by the character r with an octal value of 4, write is represented by the character w with an octal value of 2, execute permission is represented by the character x with an octal value of 1, and no permissions is represented by the character (-) with an octal value of 0.

Setuid, setgid, and Sticky Bit are three further sorts of special file permissions.

In the example above, (rwxr-xr-x) indicates that the owner has read, write, and execute permissions (rwx), as well as read and execute permissions for the group and others.

If we use a numeric notation to describe the file permissions, we get the number 755:

Owner: rwx = 4+2+1 = 7
Group: r-x = 4+0+1 = 5
Other: r-x = 4+0+1 = 5

Permissions can have three or four octal digits when written in numeric notation (0-7). Special permissions are represented by the first digit, and if it is omitted, the file has no special permissions. 755 is the same as 0755 in our case. The first digit can be any number between 4 and 1, with 4 being setuid, 2 being setgid, and 1 being Sticky Bit.

The chmod command can be used to adjust file permissions and the chown command can be used to change ownership.

Understanding `umask`

The default creation permissions on Linux systems are 666 for files, which gives user, group, and others read and write permission, and 777 for directories, which gives user, group, and others read, write, and execute permission. A file with execute rights cannot be created under Linux.

The umask utility can be used to change the default creation permissions.

Only the current shell environment is affected by umask. The default system-wide umask value is configured in the pam umask.so or /etc/profile file on most Linux distributions.

Edit the user's shell configuration files, such as /.bashrc or /.zshrc, if you want to specify a different value per user. umask followed by the required value can also be used to modify the current session umask value.

Simply type umask without any parameters to see the current mask value:

umask

The final product will include:

Output

022

The permission bits that will not be set on newly created files and directories are contained in the umask value.

As previously stated, the default creation permissions for files and directories are 666 and 777, respectively. Subtract the umask value from the default value to get the permission bits for the new files.

Use the following formula to determine how umask 022 will effect newly created files and directories:

Files: 666 - 022 = 644. The files can be accessed and modified by the owner. The files can only be read by the group and others.
Directories: 777 - 022 = 755. The owner can list, read, modify, create, and remove files in the directory using cd. cd into the directory and list and read the files for the group and others.

You can also use the -S option to display the mask value in symbolic notation:

umask -S

Output

u=rwx,g=rx,o=rx

The symbolic notation value, unlike the numeric notation, includes the permission bits that will be set on newly created files and folders.

Setting the Mask Value

The octal or symbolic notation can be used to set the file creation mask. Set the new umask value in a global configuration file like /etc/profile, which affects all users, or in a user's shell configuration files like ~/.profile, ~/.bashrc, or/.zshrc, which affects only the user, to make the changes permanent. The user files come first, followed by the global files.

Before changing the umask value, double-check that the new value does not represent a security concern. With values less restrictive than 022, extreme caution should be exercised. Anyone with read, write, and execute permissions on all newly created files, for example, has umask 002.

Let's imagine we want to give the newly created files and directories more restrictive permissions so that others can't cd to them or read their contents. We need 750 permissions for directories and 640 permissions for files.

Simply subtract the needed permissions from the default one to get the umask value:

Umask value: 777-750 = 027

The numeric representation of the requested umask value is 027.

Open the /etc/profile file using your text editor to change the new value system-wide:

sudo nano /etc/profile

and at the top of the file, edit or add the following line:

umask 027

Run the following source command or log out and back in to see the changes:

source /etc/profile

To test the updated settings, we'll use mkdir to create a new file and directory, then touch:

mkdir newdir
touch newfile

Using the ls command, you can see that the new file has 640 permissions and the new directory has 750 permissions, which is exactly what we wanted:

drwxr-x--- 2 linuxize users 4096 Jul  4 18:14  newdir
-rw-r----- 1 linuxize users    0 Jul  4 18:14  newfile

Symbolic notation is another approach to set the file creation mask. umask u=rwx,g=rx,o=, for example, is the same as umask 027.

FAQs on Umask Command in Linux

How does the umask value affect file permissions?

The umask value is subtracted from the default permissions to determine the actual permissions of the newly created files and directories. It works as a mask that removes specific permission bits.

What is the default umask value in Linux?

The default umask value in Linux is usually set to 022, which results in read (r), write (w), and execute (x) permissions for the owner, and read and execute permissions for group and others.

How do I check the current umask value?

To check the current umask value, you can simply type "umask" into the terminal without any arguments. It will display the current umask value.

How can I set a specific umask value?

To set a specific umask value, use the command "umask" followed by the desired value. For example, "umask 027" sets the umask value to 027.

Can I specify symbolic permissions with the umask command?

No, the umask command only accepts octal values. The symbolic notation is not supported.

How can I make the umask value persistent across sessions?

To make the umask value persistent across sessions, you can add the umask command with the desired value to the appropriate shell configuration file (e.g., ~/.bashrc or ~/.profile).