Hi everyone, I’m still trying to completely understand the umask command. I get that it affects the default permissions for new files and folders, but I’m having trouble fully understanding how it works in practice. From what I’ve read, umask removes certain permission values when a file or directory is created. For example, I’ve seen examples using 022, 002, and 077, but I’m not sure how to decide which one to use. How do I know what the “right” umask value is for a normal desktop user versus a shared server? I’m also confused about how the numbers actually work. Why does 022 result in files with permissions like 644? Is there a simple way to calculate this without memorizing it? Finally, if I want my umask setting to stay the same every time I log in, what is the simplest way to do that, and which configuration file would be best to use? Is it completely different on each Linux distribution? If anyone could explain this in simple terms or give a practical example, I’d really appreciate it. Thanks!
1) First: what umask actually is umask = User file creation mode mask It does NOT set permissions. Instead: umask removes permissions from the default permissions when new files and directories are created. Linux does not start at 000 and add permissions. It starts at a predefined maximum and then subtracts using umask. 2) Default permissions (very important!) When a program creates something: Object Starting permission (before umask) File 666 → rw-rw-rw- Directory 777 → rwxrwxrwx Why files aren’t 777? Because executable files should never be automatically executable (security). 3) The permission numbers (quick refresher) Each digit is a group: Position Who 1st User (owner) 2nd Group 3rd Others (everyone else) Each number is binary flags: Value Permission 4 Read (r) 2 Write (w) 1 Execute (x) Examples: Number Meaning 7 4+2+1 = rwx 6 4+2 = rw- 5 4+1 = r-x 4 r-- 0 --- So: 755 = rwxr-xr-x 644 = rw-r--r-- 4) What umask does (the key idea) umask is a mask of permissions to remove. It works like: final permissions = default permissions − umask But it’s not normal subtraction. It is actually a bitwise removal. Think: A 1 in umask means “block this permission”. 5) Example: the most common umask (022) Check yours: umask Typical output: 0022 Now we calculate manually. A) Creating a FILE Start with default: 666 (rw-rw-rw-) Apply umask: umask = 022 Now subtract digit by digit: Category Default Umask Result User 6 0 6 Group 6 2 4 Others 6 2 4 Result: 644 → rw-r--r-- So every new file becomes: -rw-r--r-- That’s why files you create are readable by everyone but writable only by you. B) Creating a DIRECTORY Directories start with: 777 Apply same umask: 777 - 022 Category Default Umask Result User 7 0 7 Group 7 2 5 Others 7 2 5 Result: 755 → rwxr-xr-x That’s why directories are accessible but not writable by others. 6) Why files and directories differ Files start 666 because execute (x) is dangerous. If files started at 777: Every downloaded script would automatically run. Huge security problem. Directories need execute (x) because: execute on a directory = permission to enter it / traverse it Without x, you cannot cd into the directory. 7) The trick to calculating umask quickly Instead of subtracting, many admins use this mental trick: The “complement to 7” rule For directories: permission = 7 - umask_digit Example umask 027: Digit Calculation Result 0 7-0 7 2 7-2 5 7 7-7 0 Directory = 750 Files are the same except they start from 6 instead of 7: file permission = 6 - umask_digit So: 6-0=6 6-2=4 6-7=0 File = 640 8) Understanding common umask values Umask Files Directories Meaning 022 644 755 Normal multi-user Linux (most systems) 002 664 775 Shared group collaboration 077 600 700 Private (secure servers, SSH keys) Example: 077 → nobody else can read your files. 9) Try it yourself (best way to learn) Run: umask 077 touch secret.txt mkdir private ls -l You’ll see: -rw------- secret.txt drwx------ private Now: umask 022 touch normal.txt Compare again. 10) Important: umask vs chmod Command Purpose umask affects future files chmod changes existing files umask is like a template. chmod is manual editing afterward. 11) Where umask is set Temporarily (current shell): umask 027 Permanent (user): ~/.bashrc ~/.profile System-wide: /etc/profile /etc/login.defs One-sentence memory trick umask doesn’t give permissions — it takes them away from 666 (files) and 777 (directories). If you remember only that, you can always recalculate permissions manually.
