« Back to Linux file permissions

Set default file permissions on Linux with umask

In the introduction to file permissions we learned about file permissions on Linux. When creating a new file, how does the system know what setting to use? It depends on different aspects.

File creation permissions

When creating files, Linux looks at a few factors that influence the final outcome on the ownership and individual file permissions.

  • user that created the file
  • context in the creation command is running
  • specific parameters of the creation command
  • umask value

So it depends on the user that creates a file, but also the underlying command that is used. One way to create a file is by redirecting some text to a file, using the built-in shell redirection.

echo "test" > /tmp/mytestfile

In this case, the test string will be added to a file. If it does not exist yet, it will be created. The umask value within the shell defines in that case what the file permissions should be. We will have a look at the configuration and values.

Another option is using a dedicated command like touch to create the file. Running processes may also create new files, for example to a log file that does not exist yet. Typically when a command or process is creating a new file, it will leverage a syscall such as open(2).

Umask values explained

When seeing a umask for the first time, like 022, it does not directly look normal file permissions. That is because the value is inversed, as the umask was written with the idea what file permission bits to turn off.

To found out what a value like 022 means, we need to take each number. Then we can find out the values for directories by substraction the value from 7, or 6 for files.

A file created with a umask of 022 will be:

  • 6-0 = 6
  • 6-2 = 4
  • 6-2 = 4

So that equals to 644 when using the chmod command.

For a directory this same umask will result in the same as chmod 755 directory.

Tip: with umask -S you can see the symbolic representation

Configuration places of umask

The umask value can be configured in several files, that may configure it system-wide or per user.

  • /etc/passwd
  • /etc/pam.d/common-session
  • /etc/profile
  • /etc/login.defs
  • /etc/default/login
  • shell configuration file
  • systemd unit file

passwd file

To set the umask for an individual user, the /etc/passwd file can be used. In the fifth field within the so-called GECOS information field, the umask details can be added.

username:x:1000:1000:User,,,,umask=0027:/home/username:/bin/bash

An easier way to do this with a command is using the chfn command.

chfn -o "umask=0027" username

/etc/profile

The file /etc/profile is a system-wide .profile used by most common shells. It can be used to set a umask value.

Caveat: this setting won’t always be used as it requires an active shell. For example, a graphical session or SSH session may therefore miss the umask value.

PAM

A common place to configure the umask is within the PAM configuration and specifically in the file /etc/pam.d/common-session. It requires the pam_umask module, which may need to be installed first.

session optional pam_umask.so umask=027

When using systemd, the UMask unit setting may be used for a service or a user service.

[Service]
UMask=0027

Also some applications allow defining the umask value within its own configuration. Obviously, the umask value may therefore differ for one user depending on the tools or applications being used.

Relevant commands in this article

Like to learn more about the commands that were used in this article? Have a look, for some there is also a cheat sheet available.

  • chfn
  • echo
  • touch
  • umask

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon