umask is a Unix shell built-in command that automatically sets file permissions on newly created files.

The umask command can be confusing to use because it does work as a mask. In other words, the user sets the permissions that he/she does not want in the umask.

To calculate permissions that will result from specific umask values, subtract the umask from 777. Note, however, that files are not usually created with the execute permission by default, so the final permissions for files will omit the “x” permission.

For example, if the user wants all files created with permissions of 666, he/she should set the umask to 000. Alternatively, for all files to be created with permissions of 000, the user should set the umask to 777 or 666 (which works since files do not normally have the execute permission).

A reasonable value for umask is 022, which will cause files to be created with permissions of 644 (rw-r–r–) and directories to be created with permissions of 755 (rwxr-xr-x).

A more secure value for umask is 066, which will cause files to be created with permissions of 600 (rw——-) and directories to be created with permissions of 700 (rwx——).

umask is normally defined in the .profile or .login user startup files. Simply add/change the following line to specify a custom value:

umask <new mask>

where new mask contains the new octal mask permissions. The umask can also be set systemwide by editing the systemwide profiles, i.e. /etc/profile and friends.

More Technical Details

Technically speaking, new file permissions are not simply the subtraction of values from the umask. Rather, permissions for a new file are determined by ANDing the complement of the umask with the permissions for a file that the creating program uses by default. For example, the vi editor creates files with default permissions (perm) of 644, so for umask = 022,

perm AND NOT umask

will be 644 AND 755, which is 644.

However, if a program creates a file using the following system call:

open(“f”, O_WRONLY | O_CREAT, 0777),

the permissions will be

777 AND NOT 022,

which is 777 AND 755, which in turn equals 755.

Specifying a Value Using the -S Option

Users do not need to specify a mask when they use this option. The following command will display the existing default value for new files:

umask –S

u=rwx,g=rx,o=rx

To set full access for the owning user and group and deny all permissions for others, use the following straightforward command:

umask –S u=rwx,g=rwx,o=

As before, these permissions are simply the maximum allowed permissions on new files. Since applications like vi do not usually make text files executable, the “x” permission will be omitted.

Specifying umask Values Programmatically

If the function for manipulating umask expects an integer, specify the “0” prefix to indicate that the octal number system is being used. However, the “0” prefix is not required if the function expects an octal string. The umask shell command itself is one such example.