Umask command in Linux with examples

The umask command in Linux is used to set default permissions for files or directories the user creates.

How does the umask command work?

• The umask command specifies the permissions that the user does not want to be given out to the newly created file or directory.
• umask works by doing a Bitwise AND with the bitwise complement(where the bits are inverted, i.e. 1 becomes 0 and 0 becomes 1) of the umask.
• The bits which are set in the umask value, refer to the permissions, which are not assigned by default, as these values are subtracted from the maximum permission for files/directories.

How to calculate umask value?

Syntax:

$umask

[The above command will give the following output]

pratyay@pratyay-ROG-Strix-G531GT:~/Study/Linux/CommandTrials/umask$ umask
0002

• Here, the first digit, 0 is called the sticky bit, it is a special security feature.
• The next three digits represent the octal values of the umask for a file or directory.

For a better understanding of umask working, we need to understand octal mode security settings. The three rwx permissions (Read-Write-Execute) values are converted into three-bit binary values and represented by a single octal value as shown in the following table:

Simplification:

Let's understand the above table with an example: Let's explain the previous output we got using umask, 0002

• For a better understanding of the above table, it might seem confusing at first, but it's pretty simple, all you have to remember is the three modes, rwx (read-write-execute).
• the bit for the respective mode, i.e. in 3-bit number, the first bit(leftmost) is for read, then write and execute respectively. In the above example, 0002 is outputted by the umask command, we will be not worrying about the first 0 as of now. the next three digits are 0 0 2.
• Each digit here is for different classes of users, there are a total of 3 classes of users in Linux,
  • The owner
  • group members
  • everyone else
• The above output (0002) means that the umask is restricting write permissions for 'others'. Since umask subtracts from the default permissions:
  • For a file (default: 666), the umask 0002 results in 664 (rw-rw-r--), meaning others can only read the file.
  • For a directory (default: 777), the umask 0002 results in 775 (rwxrwxr-x), meaning others can only read & execute, but not write."
• The umask 0002 ensures that while owner and group can read & write, others can only read (for files) or read & execute (for directories)

How to set and update the default umask value?

We can set and update the default umask value using the command umask followed by a parameter, which should be an integer ranging from 000-777. The syntax for updating the umask value is the same as setting the umask value.

Setting the umask value:

We can use the umask command to set the default permissions with which the files/directories will be created.

Syntax

$umask 543

How to calculate umask values for files and directories?

Here, when we execute the command, the values are not directly allocated as 5 for the owner, 4 for the group members and 3 for the others, but the value we pass as an argument is subtracted from the max/full permission set. There are two full permission sets:

• File -> The full permission set for a file is 666 (read/write permission for all)
• Directory -> The full permission set for a directory is 777 (read/write/execute)

Note: The files cannot be given execution permissions by default as it can cause a security concern, and Linux systems are pretty much known for their amazing security, so that wouldn't be good.

So, once we have set the umask value to 543, let's see what happens when we make a directory(7-7-7) and a file(6-6-6)

Making a directory:

• When we make a new directory, the permissions will be calculated as (full permissions for directory) - (umask value) i.e. 777 - 543 = 234
• 234, can be clarified more as:
  • 2 for the owner, that is 010 in binary, so write permissions for the owner.
  • 3 for the group members, that is 011 in binary, so write and execute permissions for the group members.
  • 4 for everyone else, that is 100 in binary, so only read permission for everyone else.

• The output shows the following: d-w--wxr--, which is a bit confusing, but when we simplify it, it can be seen as d   -w-   -wx   r--, d here stands for directory and the latter 3 are the permissions for the respective users as we discussed in the previous point.

Making a file:

• When we make a new directory, the permission will be given out similarly but with a slight change as follows: (full permissions for file) - (umask value) i.e. 666-543 = 123
• Linux does not provide execute permissions by default, even if it is specified in the umask. 
• 123 can be clarified more as:
  • 1 for the owner, that is 001 in binary, so execute permission should be given to the owner, but Linux doesn't give execute permissionMaking a directory:s by default, so, the value is promoted by one and we get 010, and write permission will be granted to the owner.
  • 2 for the group members, that is 010 in binary, so write permissions for the group members.
  • 3 for everyone else, that is 011 in binary, so write and execute permission for everyone else, but again execute permission cannot be provided, so the value will be promoted one more time, and we will get 100, so read permission will be granted to everyone else.

• The output shows, --w--w-r--  which can be simplified as -   -w-  -w-  r--, that is write for the owner, write for the group, and read for everyone else.
• Now when we will try to open this file as the owner, we will get access denied, as the owner of the file only has access to write to it.

• So in order to open the file, we would either have to be the admin or be other than owner and group members.
• Opening file as Admin:

• You can also use symbolic notations with umask. Below in "umask u-w" command 'u' stands for user and '-' is used for remove permission and 'w' stands for write permission.

• Create File named newDir and check permissions.

• In given figure it shows that permission for newDir is "dr-x-wx---" and user's write permission has been removed.

• If you use '+' symbol instead of '-' then it will give corrosponding permission to the user. you can also use 'r' which is used for read permission. ie. umask u+rw

• Now, Give write permission to user and check it's permission by creating an directory.

So, in this way, it is possible to use umask command in order to set default permissions for files and directories. It should be noted that the default permissions for files and directories are different as files do not provide the option to execute by default.

What is the difference between chmod and umask?

• The umask command can be only used on new files i.e. while creating new files, any files created prior to using the umask command will have no effect.
• The chmod command must be used on files that are already present, it is used to change the access permissions of files that have been created earlier.

Thus, we need umask command in order to set the default access permissions for files and directories which will be created in the future, and we need the chmod command in order to change the access permissions for files that have been already created and are present in the system.