UMASK in Linux or Unix systems is called User Mask or also called as User File Mask. This is a basic state or default state when a new file or folder is created in the Linux machine.
It is used by several commands in Linux such as mkdir, touch, tee and other commands that create files and directories. It gets involved in each step when a new file or directory is created.
Before we go into deep diving and understand the unmask, let's first understand the felt state briefly.
Linux is known for its security. Each file or directory in Linux has a specific set of permissions and ownership rights. Let's look at the user class below.
Each file in Linux will have under three user classes associated with it.
- User – A user who owns the file – By default, it indicates who created the file if you do not change it.
- Group – This indicated that the people in the group will have privileges assigned to the file.  Other – This restricts other users who are not owners or in the assigned group.
There are three types of file access for each user class mentioned above.
- r – read permission – the ability to read the contents of the file
- w – write permission – the ability to change the contents of the file
- x – run permissions – the ability to run the file as a program  The above concept tells who can read the file content, change the file content or run the program.
Viewing Permissions – Symbol Mode:
Let's look at file ownership below. You can retrieve the information on your Linux machine by typing the ls -l command.
The first character in the image above shows the file type. There may be different types of files in Linux as below.
Specifies the simple regular file with various extensions such as .txt, .json, .sh, .py, .rb, etc.
Indicates directory / folder
Indicates a symbolic link or symlink or soft link
Indicates sign file
Indicates block device file
The next the nine symbols are divided into three parts as below.
The file owner can read the content, change the content and run the file as a program
Members of the group "users" Can read the content and run the file as a program but cannot change the file contents
Anyone who is not an owner is also not a member of the group, ie others can also read the contents of the file and run the file as a program but cannot change file contents
View permissions – Numeric mode:
There is a further way to represent permissions with numbers called Numeric mode.
Let's look at the allowable diagram for Numeric file below.
Only execute permission
Only write permission
3  -wx
Writing and executing permissions
4  r –
Read only permissions
Read and execute permissions
Read and write permissions
rwx  Read, Write, and Execute Permissions
If I refer to this numeric authorization diagram and apply it to the same directory mentioned in the image above, the state will look like below.
4 + 2 + 1
4 + 0 + 1
4 + 0 + 1  5 
Therefore, the numeric state of the testdir directory is 755.
Let's create a new file and a new directory by executing the command below.
$ touch test file
$ mkdir testdir
Let's see the permissions of test file and testdir by executing ls – l command.
$ ls -l
drwxr-xr-x 2 niteshb user 4096 Mar 21 22:43 testdir
-rw-r - r-- 1 niteshb user 0 Mar 21 22 : 43 test file
Did you notice the permissions? They are different, right? This is due to the default unmask value set in the Linux machine.
By default on the Linux machine is the default state for a file 666 that provides read and write permissions to the owner, group, and others, and 777 for a directory that means to read, write, and run permissions to the owner, group, and others.
As we know directories cannot be run. Why does the directory need to run permissions? Well, performing the permission to the directory is to allow access to content under the directory. If you use chmod command, we change the state of the directory to 666 and try to enter the directory with CD command.
On most Linux distributions, the default value is set throughout the system in pam_umask.so or in / etc / profile file. By adding the value to the ~ / .bashrc file in the user's home directory, we can create an unmask value specific to the user.
To check unmask value, run unmask command.
We can ignore the very first 0 from the above four digits for now. It is part of the advanced state of Linux. Which can prevent file modification even if you have write permission or we can prevent deleting a file even if you are the root user. In this blog we will only concentrate on the other three figures. Ads
To change the value of the current session, execute the command below followed by the desired value.
$ umask 0044
How files and directories get their permissions:
The value associated with umask is NOT the state you get for your files and directories.
There is a very simple calculation. As we mentioned above that the default value for a file is 666 and for a directory it is 777. To calculate permission bits for new files or directories, subtract the unmask value from the default value.
For example, let's calculate how a new file or directory state will affect due to unmask.
- Files: 666 - 022 = 644. According to the permission, the owner can read and run the file. Groups and others can read the file.
- Catalog: 777 - 022 = 755. This means that the owner will have all read, write permissions and CDs for the directory. Group and others can read and list the contents of the directory and cd to the directory.
You can also see the unmask value in numerical form by executing the command below.
u = rwx, g = rx, o = rx
Unlike numeric notation, the symbolic notation value contains the permission bits that will be set to the newly created files and directories.
Setting the mask value:
File creation mask can be set with octal or symbolic notation. To make the changes permanent, set the new value to a global configuration file such as / etc / profile file that will affect all users or in a user's scale configuration files such as ~ / .profile, ~ / .bashrc or ~ / .zshrc that will only affect the user. The user files take precedence over the global files.
Before making any changes to
umaskmake sure that the new value does not pose a potential security risk. Values that are less restrictive than
022should be used with great caution. For example,
umask 000means that anyone will have read, written, and run permissions for all newly created files.
Let's say we want to set more restrictive permissions for the newly created files and directories so that others will not be able to
cdto the directories and read files. The permissions we want are
750for directories and
640for files. Ads
To calculate the
umaskvalue, simply subtract the desired permissions from the default setting:
777-750 = 027
umaskvalue represented in numerical notation is
To permanently set the new value across the entire open file
/ etc / profilewith your text editor and change or add the following line at the beginning of the file:
For changes that enter into force run the following source command or log out and log in:
$ source / etc / profile
To verify the new settings we create a new file and directory with the commands below.
$ mkdir newtestdir
$ touch newtestfile
If you check per assignment with the ls command, you will notice that the new file has
640and the new directory
750permissions, as we wanted:
drwxr-xr-- 2 niteshb users 4096 Mar 21 22:43 newtestdir
-rw-r ----- 1 niteshb user 0 Mar 21 22:43 newtestfile
Another way to set the file to create file is to use the symbolic notation. For example,
umask u = rwx, g = rx, o =is the same as
In this guide we have explained the Linux permissions and how to use the
umaskcommand to set the permission bits for created files or directories.
For more information, type the command below in your terminal.
$ man umask