Set the default permissions that new files and directories inherit. 19.05.2026 | reading time: 2 min Control who can read and write newly created files; the `umask` command sets which permission bits are cleared when a process creates files and directories, and this guide shows the command in action and where to set persistent masks. Quick demo Try this on a test account: run `umask 0077`, then `touch secret.txt` and `mkdir secretdir`, and check `ls -l secret.txt secretdir` to see `-rw-------` for the file and `drwx------` for the directory because files default from 666 and directories from 777 and the umask subtracts bits. How it works You can use numeric or symbolic masks; remember the rule: final_mode = default_mode - umask, where default_mode is 666 for files and 777 for directories; for example `umask 022` yields files 644 and directories 755, while `umask 002` yields files 664 and directories 775. Where to set it Set a per-shell mask by adding `umask 027` to `~/.profile` or `~/.bashrc`; for system-wide defaults edit `/etc/profile` or `/etc/login.defs` and enable `pam_umask.so`, and for services set `UMask=` in systemd unit files so daemons start with the intended mask. When umask is not enough umask only affects permission bits at creation; to change existing files use `chmod`, and for richer defaults use POSIX ACLs with `setfacl -d` on directories; be aware that some applications choose explicit modes and may ignore the umask. Try this next Mastering umask reduces accidental exposure and is quick to test across shells and services; experiment with masks and ACLs, and if you want to certify your skills consider CompTIA Linux+ or LPIC-1, with bitsandbytes.academy being an intensive exam preparation. Join Bits & Bytes Academy First class LINUX exam preparation. filesystem security utilities scripting
