umask Command in Linux: Set Default File Permissions

On Linux and Unix operating systems, all new files are created with a default set of permissions. The umask command lets you view or set the file mode creation mask, which determines the permission bits for newly created files and directories.

It is used by mkdir, touch, tee , and other commands that create new files and directories.

This guide explains how umask works, how to read and calculate mask values, and how to make your changes permanent.

umask Syntax #

umask [OPTION] [MASK]

• -S — Display the current mask in symbolic notation instead of octal.

When called without arguments, umask prints the current mask value. When called with a mask value, it sets the mask for the current shell session.

Linux Permissions #

Before going further, let us briefly explain the Linux permissions model.

In Linux, each file is associated with an owner and a group and assigned permission access rights for three different classes of users:

• The file owner.
• The group members.
• Everyone else.

There are three permission types that apply to each class:

• The read permission.
• The write permission.
• The execute permission.

This concept allows you to specify which users are allowed to read the file, write to the file, or execute the file.

To view the file permissions, use the ls command:

ls -l dirname

drwxr-xr-x 12 linuxize users 4.0K Apr  8 20:51 dirname
|[-][-][-]    [------] [---]
| |  |  |        |       |
| |  |  |        |       +-----------> Group
| |  |  |        +-------------------> Owner
| |  |  +----------------------------> Others Permissions
| |  +-------------------------------> Group Permissions
| +----------------------------------> Owner Permissions
+------------------------------------> File Type

The first character represents the file type, which can be a regular file (-), a directory (d), a symbolic link (l), or any other special type of file.

The next nine characters represent the permissions, three sets of three characters each. The first set shows the owner permissions, the second set shows group permissions, and the last set shows everybody else’s permissions.

Character r with an octal value of 4 stands for read, w with an octal value of 2 for write, x with an octal value of 1 for execute, and - with an octal value of 0 for no permission.

There are also three special file permission types: setuid, setgid, and sticky bit.

In the example above, rwxr-xr-x means the owner has read, write, and execute permissions (rwx), while the group and others have read and execute permissions.

If we represent the file permissions using numeric notation, we get 755:

• Owner: rwx = 4+2+1 = 7
• Group: r-x = 4+0+1 = 5
• Other: r-x = 4+0+1 = 5

When represented in numeric notation, permissions can have three or four octal digits (0-7). The first digit represents special permissions, and if it is omitted, it means no special permissions are set. In our example, 755 is the same as 0755. The first digit can be a combination of 4 for setuid, 2 for setgid, and 1 for sticky bit.

File permissions can be changed using the chmod command and ownership using the chown command.

Understanding umask #

By default on Linux systems, the default creation permissions are 666 for files, which gives read and write permission to user, group, and others, and 777 for directories, which means read, write, and execute permission to user, group, and others. Linux does not allow a file to be created with execute permissions.

The default creation permissions can be modified using the umask command.

umask affects only the current shell environment. On most Linux distributions, the default system-wide umask value is set in the pam_umask.so module, the /etc/profile file, or /etc/login.defs.

If you want to specify a different value on a per-user basis, edit the user’s shell configuration files such as ~/.bashrc or ~/.zshrc. You can also change the current session umask value by running umask followed by the desired value.

To view the current mask value, type umask without any arguments:

umask

0022

The umask value contains the permission bits that will NOT be set on newly created files and directories.

The default creation permissions for files are 666 and for directories 777. To calculate the permission bits for new files, subtract the umask value from the default value.

For example, to calculate how umask 022 affects newly created files and directories:

• Files: 666 - 022 = 644. The owner can read and modify the files. Group and others can only read the files.
• Directories: 777 - 022 = 755. The owner can cd into the directory and list, read, modify, create, or delete files in it. Group and others can cd into the directory and list and read the files.

You can also display the mask value in symbolic notation using the -S option:

umask -S

u=rwx,g=rx,o=rx

Unlike the numeric notation, the symbolic notation value shows the permission bits that will be set on newly created files and directories.

Setting the umask Value #

The file creation mask can be set using octal or symbolic notation. To make the change permanent, set the new umask value in a global configuration file like /etc/profile, which will affect all users, or in a user’s shell configuration files such as ~/.profile, ~/.bashrc, or ~/.zshrc, which will affect only that user. User files take precedence over global files.

Before changing the umask value, make sure the new value does not pose a security risk. Values less restrictive than 022 should be used with caution. For example, umask 000 typically results in 666 permissions for new files and 777 permissions for new directories.

To set more restrictive permissions so others cannot cd into directories or read files, use 750 for directories and 640 for files.

To calculate the umask value, subtract the desired permissions from the default:

umask value: 777 - 750 = 027

The desired umask value in numeric notation is 027.

To permanently set the new value system-wide, open the /etc/profile file with your text editor:

sudo nano /etc/profile

Add or change the following line:

umask 027

For the change to take effect, run the source command or start a new login session:

source /etc/profile

If your shell is non-login, you may need to set umask in ~/.bashrc or ~/.zshrc instead of relying on /etc/profile.

To verify the new settings, create a file and a directory using touch and mkdir :

touch newfile
mkdir newdir

Check the permissions with ls:

drwxr-x--- 2 linuxize users 4096 Jul  4 18:14  newdir
-rw-r----- 1 linuxize users    0 Jul  4 18:14  newfile

The new file has 640 and the new directory has 750 permissions, as expected.

You can also set the file creation mask using symbolic notation. For example, umask u=rwx,g=rx,o= is the same as umask 027.

Quick Reference #

Troubleshooting #

umask value resets in new terminals
You likely set it in a file that your shell does not load for that session type. Login shells usually read /etc/profile and ~/.profile; interactive non-login shells usually read ~/.bashrc or ~/.zshrc.

umask works for your user but not for services
Service processes often run under systemd units or dedicated service accounts and do not inherit your interactive shell settings. Set UMask= in the relevant systemd unit or configure the service account environment explicitly.

sudo commands create files with unexpected permissions
sudo runs commands with root’s environment and mask settings, not your user shell settings. Check root’s defaults (sudo sh -c 'umask') and configure root or service-level settings where needed.

FAQ #

What is the default umask on Linux?
Most Linux distributions use 0022 as the default system-wide umask. This results in 644 permissions for new files and 755 for new directories.

How do I make a umask change permanent?
Add the umask command to your shell configuration file. For a single user, edit ~/.bashrc or ~/.zshrc. For all users on the system, edit /etc/profile or /etc/login.defs.

What is the difference between umask and chmod?
umask sets the default permissions applied at file creation time. chmod changes the permissions of an existing file or directory. They work at different points in the file lifecycle.

Why do new files never get execute permission even with umask 000?
Linux applies an additional restriction that strips execute bits from regular files at creation time. The base for regular files is 666, not 777, so even umask 000 results in 666 permissions for files. Execute permission must be added explicitly with chmod.

Conclusion #

The umask command controls the default permission mask applied to all newly created files and directories. Understanding how to calculate and set the umask value helps you enforce consistent, secure permission defaults across your system.

For more information, type man umask in your terminal. To learn more about Linux file permissions, see the chmod and chown command guides.

If you have any questions, feel free to leave a comment below.

About the authors

Dejan Panovski

Dejan Panovski is the founder of Linuxize, an RHCSA-certified Linux system administrator and DevOps engineer based in Skopje, Macedonia. Author of 800+ Linux tutorials with 20+ years of experience turning complex Linux tasks into clear, reliable guides.

View author page