How to Control the default permissions of new files created by users using "umask"

Default File Permissions

When you create a new file or directory, it is assigned initial permissions. There are two things that affect these initial permissions. The first is whether you are creating a regular file or a directory. The second is the current umask.

If you create a new directory, the operating system starts by assigning it octal permissions 0777 (drwxrwxrwx). If you create a new regular file, the operating system assigns it octal permissions 0666 (-rw-rw-rw-). You always have to explicitly add execute permission to a regular file. This makes it harder for an attacker to compromise a network service so that it creates a new file and immediately executes it as a program.

However, the shell session will also set a umask to further restrict the permissions that are initially set. This is an octal bitmask used to clear the permissions of new files and directories created by a process. If a bit is set in the umask, then the corresponding permission is cleared on new files. For example, the umask 0002 clears the write bit for other users. The leading zeros indicate the special, user, and group permissions are not cleared. A umask of 0077 clears all the group and other permissions of newly created files.

The umask command without arguments will display the current value of the shell’s umask:

[[email protected] ~]$ umask

Use the umask command with a single numeric argument to change the umask of the current shell. The numeric argument should be an octal value corresponding to the new umask value. You can omit any leading zeros in the umask.

The system’s default umask values for Bash shell users are defined in the /etc/profile and /etc/bashrc files. Users can override the system defaults in the .bash_profile and .bashrc files in their home directories.

umask Example

The following example explains how the umask affects the permissions of files and directories. Look at the default umask permissions for both files and directories in the current shell. The owner and group both have read and write permission on files, and other is set to read. The owner and group both have read, write, and execute permissions on directories. The only permission for other is read.

[[email protected] ~]$ umask
[[email protected] ~]$ touch default
[[email protected] ~]$ ls -l default.txt
-rw-rw-r--. 1 user user 0 May  9 01:54 default.txt
[[email protected] ~]$ mkdir default
[[email protected] ~]$ ls -ld default
drwxrwxr-x. 2 user user 0 May  9 01:54 default

By setting the umask value to 0, the file permissions for other change from read to read and write. The directory permissions for other changes from read and execute to read, write, and execute.

[[email protected] ~]$ umask 0
[[email protected] ~]$ touch zero.txt
[[email protected] ~]$ ls -l zero.txt
-rw-rw-rw-. 1 user user 0 May  9 01:54 zero.txt
[[email protected] ~]$ mkdir zero
[[email protected] ~]$ ls -ld zero
drwxrwxrwx. 2 user user 0 May  9 01:54 zero

To mask all file and directory permissions for other, set the umask value to 007.

[[email protected] ~]$ umask 007
[[email protected] ~]$ touch seven.txt
[[email protected] ~]$ ls -l seven.txt
-rw-rw----. 1 user user 0 May  9 01:55 seven.txt
[[email protected] ~]$ mkdir seven
[[email protected] ~]$ ls -ld seven
drwxrwx---. 2 user user 0 May  9 01:54 seven

A umask of 027 ensures that new files have read and write permissions for user and read permission for group. New directories have read and write access for group and no permissions for other.

[[email protected] ~]$ umask 027
[[email protected] ~]$ touch two-seven.txt
[[email protected] ~]$ ls -l two-seven.txt
-rw-r-----. 1 user user 0 May  9 01:55 two-seven.txt
[[email protected] ~]$ mkdir two-seven
[[email protected] ~]$ ls -ld two-seven
drwxr-x---. 2 user user 0 May  9 01:54 two-seven

The default umask for users is set by the shell startup scripts. By default, if your account’s UID is 200 or more and your username and primary group name are the same, you will be assigned a umask of 002. Otherwise, your umask will be 022. As root, you can change this by adding a shell startup script named /etc/profile.d/ that looks something like the output in this example:

[[email protected] ~]# cat /etc/profile.d/
# Overrides default umask configuration
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
    umask 007
    umask 022

The preceding example will set the umask to 007 for users with a UID greater than 199 and with a username and primary group name that match and to 022 for everyone else. If you just wanted to set the umask for everyone to 022, you could create that file with just the following content:

# Overrides default umask configuration
umask 022

To ensure that global umask changes take effect you must log out of the shell and log back in. Until that time the umask configured in the current shell is still in effect.