Developer

Design

Discourse

Hardware

Insights

Juju

Shop

More

signup

AskUbuntuisaquestionandanswersiteforUbuntuusersanddevelopers.It's100%free,noregistrationrequired.

login

Ask!

Community

Ubuntu

permissionsWhatis"umask"andhowdoesitwork?AskUbuntu

7/1/2015

tour

help

Takethe2minutetour

What is umask and how does it work?

I believe that umask is something that controls file permissions, but do not fully understand it.
After running umask0644 in a terminal, I cannot read the files I create with the command-line text editor nano . I noticed that the
permissions of that file are set to 0022 instead of the default 0755 .
How does umask work? I thought I could just remove the each digit in the umask from 0777 , 76=1 and 74=3 , so I expect the
permissions to be 0133 , but apparently, this is not the case.
1. What is umask exactly? Explain it to me like I was a "Linux noob"
2. How do I calculate with umask?
3. What are use cases for umask?
permissions

umask

edited May 23 '11 at 8:40

asked May 22 '11 at 20:42

Lekensteyn
57.4k

20

170

248

2 Answers
The umask acts as a set of permissions that applications cannot set on files. It's a file mode creation
mask for processes and cannot be set for directories itself. Most applications would not create files
with execute permissions set, so they would have a default of 666 , which is then modified by the
umask.
As you have set the umask to remove the read/write bits for the owner and the read bits for others,
a default such as 777 in applications would result in the file permissions being 133 . This would
mean that you (and others) could execute the file, and others would be able to write to it.
If you want to make files not be read/write/execute by anyone but the owner, you should use a
umask like 077 to turn off those permissions for the group & others.
In contrast, a umask of 000 will make newly created directories readable, writable and descendible
for everyone (the permissions will be 777 ). Such a umask is highly insecure and you should never
set the umask to 000 .
The default umask on Ubuntu is 022 which means that newly created files are readable by
everyone, but only writable by the owner:
user@computer:~$touchnewfilename
user@computer:~$lsdlnewfilename
rwrr1useruser0Apr119:15newfilename

Viewing and modifying umask

To view your current umask setting, open a terminal and run the command:
umask

To change the umask setting of the current shell to something else, say 077, run:
umask077

To test whether this setting works or not, you can create a new file (file permissions of an existing
file won't be affected) and show information about the file, run:
user@computer:~$touchnewfilename
user@computer:~$lsdlnewfilename
rw1useruser0Apr119:14newfilename

The umask setting is inherited by processes started from the same shell. For example, start the text
editor GEdit by executing gedit in the terminal and save a file using gedit. You'll notice that the
newly created file is affected by the same umask setting as in the terminal.

Use case: multi-user system

If you are on a system that's shared by multiple users, it's desired that others cannot read files in
your home directory. For that, a umask is very useful. Edit ~/.profile and add a new line with:

http://askubuntu.com/questions/44542/whatisumaskandhowdoesitwork

1/3

7/1/2015

permissionsWhatis"umask"andhowdoesitwork?AskUbuntu

umask007

You need to re-login for the umask change take affect. Next, you need to change existing file
permissions of files in your home directory by removing the read, write and execute bit for the
world. Open a terminal and execute:
chmodRorwx~

If you want this umask setting be applied to all users on the system, you could edit the system-wide
profile file at /etc/profile .
edited Apr 2 '13 at 2:20
Kevin Bowen
7,352

37

answered May 22 '11 at 20:59

ajmitch
53

9,002

42

50

Did you find this question interesting? Try our newsletter

Sign up for our newsletter and get our top new questions
delivered to your inbox (see an example).

In addition to the good discussion in the accepted answer, it is worth adding some more points
about umask , with reference to how it is managed in 12.04 and onwards.
Umask and pam_umask
The default umask is now in /etc/login.defs and not in /etc/profile , as the official note in
/etc/profile reads:
#Thedefaultumaskisnowhandledbypam_umask.
#Seepam_umask(8)and/etc/login.defs.
Pam_umask is briefly explained below, and it should be said that the default file for the user to
place his custom umask setting in is still ~/.profile .
Pam_umask is one of many important PAM modules that are crucial in Ubuntu's operation (run
apropos'^pam_' to find the manpages for the other ones). In the manpage for pam_umask it is

noted that
pam_umask is a PAM module to set the file mode creation mask of the current environment.
The umask affects the default permissions assigned to newly created files.
A note on the default umask
New folders in $HOME can be created by mkdir with default 775 permissions and files created with
touch with default 664 permissions even when the default umask is 022. This seems, at first,
contradictory, and is worth explaining.
While the default umask is 022 on Ubuntu, this is not the whole story, as there is a setting in
/etc/login.defs that allows the umask to be 002 for non-root users if a condition is met (see
excerpt below). On a normal installation, /etc/login.defs contains the setting USERGROUPS_ENAB
yes . This is what
Enables setting of the umask group bits to be the same as owner bits (examples: 022 -> 002, 077
-> 007) for non-root users, if the uid is the same as gid, and username is the same as the primary
group name.
Hence why you see the following with stat when a new folder is created with mkdir on a single
user system such as mine (uid and gid are the same):
Access:(0775/drwxrwxrx)Uid:(1000/mike)Gid:(1000/mike)

For more information, see manpam_umask and the Ubuntu manpages online.
edited Apr 2 '13 at 0:22

answered Apr 2 '13 at 0:16

user76204

It looks like your second part is missing something? (USERGROUP_ENABLE?) +1 for updated information
Lekensteyn Apr 2 '13 at 16:17

@Lekensteyn Strangely enough, the setting in /etc/login.defs is definitely USERGROUPS_ENAByes after

checking it. The syntax of that file is slightly unusual. user76204 Apr 2 '13 at 16:24
I just checked the file and the source and you are right, this (and some other) settings are confusingly named
"_ENAB". Lekensteyn Apr 2 '13 at 19:20

http://askubuntu.com/questions/44542/whatisumaskandhowdoesitwork

2/3

7/1/2015

permissionsWhatis"umask"andhowdoesitwork?AskUbuntu

http://askubuntu.com/questions/44542/whatisumaskandhowdoesitwork

3/3