Umask & Defaults

3.3. Umask & Defaults#

When you create a file, it doesn’t automatically have 777 (everything open). Instead, the system applies a umask — a mask that removes certain permissions from the default. Understanding umask is key to creating secure files automatically.

3.3.1. How Umask Works#

The umask is a mask of permissions to remove from the default. It’s calculated as:

File permissions   = Default (666) - umask
Directory permissions = Default (777) - umask

3.3.1.1. Viewing Your Umask#

$ umask
0022

# Breakdown:
# 0 = special bits (setuid, setgid, sticky)
# 022 = the actual umask (remove 2 for group, 2 for others)

3.3.1.2. How to Interpret Umask#

umask 0022 means:
  User:   0 = 000 = don't remove anything     → 7 (rwx)
  Group:  2 = 010 = remove write              → 5 (r-x)
  Others: 2 = 010 = remove write              → 5 (r-x)

3.3.1.3. Umask in Action#

# Default file permissions
$ umask
0022
$ touch newfile.txt
$ ls -l newfile.txt
-rw-r--r-- 1 user user 0 Jan 15 newfile.txt
# 666 - 022 = 644 (rw-r--r--)

# Default directory permissions
$ mkdir newdir
$ ls -ld newdir
drwxr-xr-x 1 user user 4096 Jan 15 newdir
# 777 - 022 = 755 (rwxr-xr-x)

3.3.1.4. Changing Umask#

# Set temporarily (until logout)
$ umask 0077
$ touch secret.txt
$ ls -l secret.txt
-rw------- 1 user user 0 Jan 15 secret.txt
# 666 - 077 = 600 (rw-------)

# Set permanently (in ~/.bashrc)
$ echo 'umask 0077' >> ~/.bashrc
$ source ~/.bashrc

3.3.1.5. Common Umask Values#

umask 0022  (default)
  Files:  644 (rw-r--r--)
  Dirs:   755 (rwxr-xr-x)
  
umask 0077  (very restrictive)
  Files:  600 (rw-------)
  Dirs:   700 (rwx------)
  
umask 0002  (group-friendly)
  Files:  664 (rw-rw-r--)
  Dirs:   775 (rwxrwxr-x)
  
umask 0007  (user and group, exclude others)
  Files:  660 (rw-rw----)
  Dirs:   770 (rwxrwx---)

3.3.2. Secure Umask Practices#

3.3.2.1. Default 022 is Usually Fine#

The default umask 0022 provides good balance:

  • Your files: Readable/writable by you only

  • Others: Can read but not modify

  • Good for: General development, shared systems

$ umask 0022
$ touch document.txt
$ ls -l document.txt
-rw-r--r-- 1 user user 0 Jan 15 document.txt
# Others can see it but not modify - reasonable

3.3.2.2. Use 077 for Sensitive Work#

When dealing with passwords, keys, or secrets:

$ umask 0077
$ touch ~/.ssh/config
$ ls -l ~/.ssh/config
-rw------- 1 user user 0 Jan 15 config
# Only you can access - very secure

3.3.2.3. Team Environments (002 or 007)#

When working in teams with shared directories:

# umask 0002 - group can read/write
$ umask 0002
$ touch shared_file.txt
$ ls -l shared_file.txt
-rw-rw-r-- 1 user devteam 0 Jan 15 shared_file.txt

# Directory should use setgid
$ chmod g+s shared_dir
# New files automatically inherit group

3.3.2.4. Setting Default Umask System-Wide#

# Edit /etc/profile or /etc/bash.bashrc (requires sudo)
$ sudo vim /etc/profile

# Add at the end:
if [ "$UID" -ge 1000 ]; then
    umask 0022
else
    umask 0077  # Root gets more restrictive
fi

# Verify
$ sudo grep umask /etc/profile

3.3.2.5. When Umask Isn’t Enough#

Sometimes you need different permissions after creation:

# Create file with default umask
$ touch important.txt  # Gets 644

# Immediately restrict it
$ chmod 600 important.txt  # Now only owner can read

# Or use install command (creates and sets permissions at once)
$ install -m 600 /dev/null important_file.txt
$ ls -l important_file.txt
-rw------- 1 user user 0 Jan 15 important_file.txt
Contents