Mechanism of mask in the file permission system (umask) is an element of the Linux system that I couldn’t understand well, until I dug a little deeper into the mechanism of permissions.
In this article, I will try to explain what the mask is used for, how it should be used correctly, and why it is so important for the security of the system.
What are permissions?
Basically, every file and directory in the Linux system has its owner and group. Additionally, each of these elements has defined permissions that determine what can be done with a given file or directory.
Permissions can be defined by numerical or symbolic values.
Quick summary
| Permission | Description | Symbol | Numerical Value |
|---|---|---|---|
| Read (r) | Allows to read the file or directory | r | 4 |
| Write (w) | Allows to modify the file or directory | w | 2 |
| Execute (x) | Allows to execute the file or enter the directory | x | 1 |
The specified level of permissions for each type is the sum of the numerical values of these three options., that is:
| Permissions | Numerical Value |
|---|---|
| rwx | 7 |
| rw- | 6 |
| r-x | 5 |
| r– | 4 |
| -wx | 3 |
| -w- | 2 |
| –x | 1 |
| — | 0 |
The permissions of a file can be seen using the ls -l command in the
terminal right next to the information about the owner and group:
$ ls -l /etc/
This will return the contents of the etc directory along with permissions:
drwxr-xr-x 2 root root 4096 May 6 2025 PackageKit
drwxr-xr-x 8 root root 4096 Jan 2 2025 X11
-rw-r--r-- 1 root root 3028 Nov 22 2023 adduser.conf
drwxr-xr-x 2 root root 4096 Jan 4 07:23 alternatives
drwxr-xr-x 3 root root 4096 Feb 2 11:06 apparmor
The example, of course, is shortened for readability.
What is umask?
Every file and directory at the moment of its creation has default permissions. Of course, it’s about setting these settings manually for each newly created resource.
Default settings are defined by the kernel, but we can modify them using the mask mechanism in the process of creating a directory. This can be easily remembered by the rule subtracting under the line:
We subtract the value of the mask from default permissions to obtain the actual value that will be set. For each of the three types of users (owner, group, others) we need to do this separately.
Consider such an example: Default permissions for a directory are 777 ( rwxrwxrwx), and for a file it is 666 (rw-rw-rw-).
The most commonly used value of the mask is 022.
For a directory, this would look like:
| Type of user | Operation | Result |
|---|---|---|
| Owner | 7 - 0 | 7 (rwx) |
| Group | 7 - 2 | 5 (r-x) |
| Other | 7 - 2 | 5 (r-x) |
On the other hand, for a file:
| Type of user | Operation | Result |
|---|---|---|
| Owner | 6 - 0 | 6 (rw-) |
| Group | 6 - 2 | 4 (r–) |
| Other | 6 - 2 | 4 (r–) |
Changing the mask setting The easiest way to change the mask settings in a given terminal session is by using the umask command with the appropriate value:
umask 011
This command sets the mask to 011, which means that new files will have permissions 655 (rw-r-xr-x) and directories 766 (rwxrw-rw-).
The question of the practicality of this specific mask is a separate topic.
If no value is specified, the umask command displays the current settings of the mask in numerical form:
022
Remember that this change is not permanent and after closing the terminal session it will not be saved.
To permanently change these settings, the easiest
way is to add the umask command to the configuration file of the shell, for
example, ~/.bashrc or ~/.zshrc
