What is "umask" and how does it work?

The umask acts as a set of permissions that applications cannot set on files. It's a file mode creation mask for processes and cannot be set for directories itself. Most applications would not create files with execute permissions set, so they would have a default of 666, which is then modified by the umask.

As you have set the umask to remove the read/write bits for the owner and the read bits for others, a default such as 777 in applications would result in the file permissions being 133. This would mean that you (and others) could execute the file, and others would be able to write to it.

If you want to make files not be read/write/execute by anyone but the owner, you should use a umask like 077 to turn off those permissions for the group & others.

In contrast, a umask of 000 will make newly created directories readable, writable and descendible for everyone (the permissions will be 777). Such a umask is highly insecure and you should never set the umask to 000.

The default umask on Ubuntu was 022 which means that newly created files are readable by everyone, but only writable by the owner:

user@computer:~$ touch new-file-name
user@computer:~$ ls -dl new-file-name
-rw-r--r-- 1 user user 0 Apr  1 19:15 new-file-name

Starting in Ubuntu Oneiric (11.10) the default umask was relaxed to 002, which expands write-access to the owner's group:

user@computer:~$ touch new-file-name
user@computer:~$ ls -dl new-file-name
-rw-rw-r-- 1 user user 0 Apr  1 19:15 new-file-name

Viewing and modifying umask

To view your current umask setting, open a terminal and run the command:

umask

To change the umask setting of the current shell to something else, say 077, run:

umask 077

To test whether this setting works or not, you can create a new file (file permissions of an existing file won't be affected) and show information about the file, run:

user@computer:~$ touch new-file-name
user@computer:~$ ls -dl new-file-name
-rw------- 1 user user 0 Apr  1 19:14 new-file-name

The umask setting is inherited by processes started from the same shell. For example, start the text editor GEdit by executing gedit in the terminal and save a file using gedit. You'll notice that the newly created file is affected by the same umask setting as in the terminal.

Use case: multi-user system

If you are on a system that's shared by multiple users, it's desired that others cannot read files in your home directory. For that, a umask is very useful. Edit ~/.profile and add a new line with:

umask 007

You need to re-login for this umask change in ~/.profile to take effect. Next, you need to change existing file permissions of files in your home directory by removing the read, write and execute bit for the world. Open a terminal and execute:

chmod -R o-rwx ~

If you want this umask setting be applied to all users on the system, you could edit the system-wide profile file at /etc/profile.

Others answered have explained really well the concept of umasking and why it's required. Let me add my two cents, and give you a mathematical example on how the permissions are actually calculated.

First of all, “mask” does not mean “subtract”, in the arithmetic sense – there is no borrow or carry involved.

Secondly, a “mask” should be understood bitwise instead: applying logical operations on each bit column independently. That is, the 4th bit of the permission bit-sequence interacts with only the 4th bit of the mask.

Third, the mask turns off permission bits. If they are already off, the umask makes no change to the permission,

For example, assume that you have to unmask 077 from the system defaults for files which is 666 and directories which is 777.

The command you will use is

umask 077

(unmask value in binary, 000 111 111)

What this unmask will do is it will turn off any of the first six LSBs (least significant bits) if they are 1 and will make no change if any of them are already off.

Here is how the final permission is calculated:

file permission   666 = 110 110 110 
unmask value      077 = 000 111 111
will result in    600 = 110 000 000

Observe how both 110 values have changed to 000.

Similarly,

directory permission   777 = 111 111 111 
unmask value           077 = 000 111 111
will result in         700 = 111 000 000

In addition to the good discussion in the accepted answer, it is worth adding some more points about umask, with reference to how it is managed in 12.04 and onwards.

Umask and pam_umask

The default umask is now in /etc/login.defs and not in /etc/profile, as the official note in /etc/profile reads:

# The default umask is now handled by pam_umask.
# See pam_umask(8) and /etc/login.defs.

Pam_umask is briefly explained below, and it should be said that the default file for the user to place his custom umask setting in is still ~/.profile.

Pam_umask is one of many important PAM modules that are crucial in Ubuntu's operation (run apropos '^pam_' to find the manpages for the other ones). In the manpage for pam_umask it is noted that

pam_umask is a PAM module to set the file mode creation mask of the current environment. The umask affects the default permissions assigned to newly created files.

A note on the default umask

New folders in $HOME can be created by mkdir with default 775 permissions and files created with touch with default 664 permissions even when the default umask is 022. This seems, at first, contradictory, and is worth explaining.

While the default umask is 022 on Ubuntu, this is not the whole story, as there is a setting in /etc/login.defs that allows the umask to be 002 for non-root users if a condition is met (see excerpt below). On a normal installation, /etc/login.defs contains the setting USERGROUPS_ENAB yes. This is what

Enables setting of the umask group bits to be the same as owner bits (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is the same as gid, and username is the same as the primary group name.

Hence why you see the following with stat when a new folder is created with mkdir on a single user system such as mine (uid and gid are the same):

Access: (0775/drwxrwxr-x)  Uid: ( 1000/username)   Gid: ( 1000/username)

For more information, see man pam_umask and the Ubuntu manpages online.

This is pretty old, but this is worth mentioning. To calculate for the umask, unlike file system permissions. The octal umasks are calculated via the bitwise AND of the unary complement of the argument using bitwise NOT. The octal notations are as follows:

Octal value : Permission
0 : read, write and execute
1 : read and write
2 : read and execute
3 : read only
4 : write and execute
5 : write only
6 : execute only
7 : no permissions

Then you can calculate to set umask proper premissions such:

$ umask 077
$ mkdir dir1
$ touch file
$ ls -ld dir1 file

drwx------ 2 amrx amrx 4096 2011-03-04 02:05 dir1
-rw------- 1 amrx amrx    0 2011-03-04 02:05 file

Calculating The Final Permission For Files

You can simply subtract the umask from the base permissions to determine the final permission for file as follows:

666 – 022 = 644

• File base permissions : 666
• umask value : 022
• subtract to get permissions of new file (666-022) : 644 (rw-r–r–)

Calculating The Final Permission For Directories

You can simply subtract the umask from the base permissions to determine the final permission for directory as follows:

777 – 022 = 755

• Directory base permissions : 777
• umask value : 022
• Subtract to get permissions of new directory (777-022) : 755 (rwxr-xr-x)

Basic concept:

If you are like most humans and don't understand what the heck "octal umasks are calculated via the bitwise AND of the unary complement of the argument using bitwise NOT" means, here's my simple explanation:

First of all, think about what a "mask" is. A mask blocks something. Think of masking tape. In this case, umask is like masking tape to block/disable permissions when creating a new file or dir.

The default permissions when creating a new dir is octal 777 (111 111 111), and a new file is octal 666 (110 110 110). We set the umask to block/disable certain permissions.

• A mask bit of 1 means to block/disable that permission (put masking tape over that bit).
• A mask bit of 0 will allow the permission to pass through (no masking tape over that bit).

So an octal 022 (000 010 010) mask means to disable group write and others write, and allow all other permissions to pass through.

Calculation:

Here is an example calculation for a new file (default 666 permission) with a 022 umask:

  perm mask result
----------------------------
u 1    0    1 (pass through)
  1    0    1 (pass through)
  0    0    0 (pass through)
----------------------------
g 1    0    1 (pass through)
  1    1    0 (disable)
  0    0    0 (pass through)
----------------------------
o 1    0    1 (pass through)
  1    1    0 (disable)
  0    0    0 (pass through)

So that's how you end up with the result of 644 when you create a new file.

Easier way:

But if inverse mask calculations just confuse you, there is an easier way using symbolic umask notation. When you use this method, then you are just specifying the pass-through bits instead of the mask bits.

• umask u=rwx,g=rx,o=rx means allow pass through for user rwx, group rx, other rx. Which implies disable group w, others w. If you run this command then check umask, you will get 022.
• umask u=rwx,g=,o= means allow pass through for user rwx. Which implies disable all access for group and others. If you run this command then check umask, you will get 077.

Bonus calculation:

If you actually want to understand what "octal umasks are calculated via the bitwise AND of the unary complement of the argument using bitwise NOT" means, here's some logic tables that can help demonstrate. Remember, a mask bit 1 means disable, 0 means pass through.

perm mask result
----------------
0    1    0     (mask 1 always disables)
1    1    0     (mask 1 always disables)
0    0    0     (mask 0 passes through)
1    0    1     (mask 0 passes through)

If you make the table with NOT(mask), now it's just a simple AND logic table!

perm NOT(mask) result
---------------------
0    0         0     (mask 1 always disables)
1    0         0     (mask 1 always disables)
0    1         0     (mask 0 passes through)
1    1         1     (mask 0 passes through)

So the formula for it is: result = perm AND (NOT mask)

Alright, sometimes a question is more than 10 years old but still without an answer to satisfy your taste, so I'm posting my own. Every process that creates files (or directories) gives those files a default set of read/write/execute permissions. Although we have used the word default here, it doesn't mean a fixed default, i.e., it can change, just like how we can change the behavior of a program by altering its configuration values.

It is a pandemically wrong belief in the world of noobs to think that there are some fixed default permission values (such as 664 and 775, or sometimes 755 and 644, and so on) for newly created files and directories. While these numbers can be the default permission values but as we said earlier, they are not fixed (octal) numbers. They can be different for each process.

So what is the actual formula for calculating the default permissions for each process? It is 0777 & <mask of the process> for directories and 0666 & <mask of the process> for files (in both of which the & operator is the bitwise-AND, i.e., in laymans terms, it can turn off some bits in 0777, but it does NOT turn any bits on. It's neither negation nor subtraction, it's bitwise-AND).

Notice 1. man umask does not give the second formula (for files), but don't worry, it's correct.

Notice 2. There is a legitimate security problem with allowing files to have execute permissions by default. For that reason, systems are usually configured to remove the execute permission for files, thus the 0666 in the second formula above. Directories require execute permission to be navigable though. That is, if for example, /home/ has r permission, you can ls it and see its contents, but without x permission, you can't ls /home/$USER).

Notice 3. To "set" the mask for the process use the umask <proper-value> command. To "get" the mask of a process use the umask command alone without any arguments, e.g., gives 0022 in my case when I run it in my terminal.