Make new files start with predictable permissions by setting a global umask for logins and services. 13.12.2025 | reading time: 2 min Why change the umask? New files inherit permissions from the creating process and a system-wide umask enforces safer defaults across users and services; this page shows concrete steps to check, change and persist that mask. Quick hands-on Check the current mask and create a file to observe effective permissions. ```sh umask touch /tmp/example-file stat -c '%a %n' /tmp/example-file ``` Persist for interactive logins Make the change once and affect all interactive shells by creating a small script under /etc/profile.d; create the file, add the line with the desired octal mask, and it applies at next login. ```sh sudo tee /etc/profile.d/99-umask.sh > /dev/null <<'EOF' # set conservative default umask umask 022 EOF source /etc/profile.d/99-umask.sh umask ``` Apply to system services Services started by systemd do not use the shell profile; set a global default or a per-service override using systemd settings and re-exec systemd to apply the change. ```sh # edit /etc/systemd/system.conf and set DefaultUMask=0022 sudo sed -i 's/#DefaultUMask=/DefaultUMask=0022/' /etc/systemd/system.conf sudo systemctl daemon-reexec ``` Handle PAM and batch jobs For logins managed by PAM, enable or configure pam_umask so the session reads a common UMASK (often from /etc/login.defs); remember cron, at and some daemons may have their own defaults so check each subsystem and inheritances carefully. Practical gotchas Umask only affects permissions of newly created files and is a mask that removes bits from the requested mode; a mask of 022 forbids group and others from write access but will not change existing files, and services running as other users keep their own masks. Next actions Test the settings: new SSH sessions, a systemd service restart and a cron job should produce files with the intended permissions; if something still differs, check PAM, per-service unit files and any distribution-specific startup scripts. Join Bits & Bytes Academy First class LINUX exam preparation. setup filesystem security boot-process
