Umask removes permissions from newly created files and directories. Umask is system wide, meaning that the umask setting affects the entire system. You cannot have different umask settings for specific directories. However, ACLs can be used to have different umask settings for specific directories.

The umask command without any options will display a string of numbers. In this example, 0002 is displayed.

~]# umask
0002

Files

By default, files created in Linux have permission 0666 (-rw-rw-rw-). If the umask is 0002, you will subtract 0002 from 0666. The result of the subtraction is 0664, or -rw-rw-r--. In this example, umask removed the write permission from the other group.

Directories

By default, directories created in Linux have permission 0777 (-rwxrwxrwx). If the umask is 0002, you will subtract 0002 from 0777. The result of the subtraction is 0775, or -rwxrwxr-x. In this example, umask removed the write permission from the other group.

Changing the umask

The umask command followed by the new umask changes the umask. In this example, the umask is changed to 0000.

~]# umask 0000

ACL

ACL entries can be used to further control the permissions of sub directories. For example, let's say the setfacl command is used to set an ACL (access control list) so that the /tmp/foo directory defaults to drwxrwx--- (0770).

setfacl --default --modify u:root:rwx /tmp/foo
setfacl --default --modify g:root:rwx /tmp/foo

The getfacl command can be used to see the ACLs. Notice the output include mask, which adjusts the umask.

~]# getfacl /tmp/foo
# file: tmp/foo
# owner: root
# group: root
# flags: -s-
user::rwx
group::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::rwx
default:group:root:rwx
default:mask::rwx
default:other::---

Now when creating a directory below /tmp/foo, the newly created directory should also have the drwxrwx--- (0770) permissions.

~]# mkdir /tmp/foo/bar
~]# ls -ld /tmp/foo/bar
drwxrwx---+ 2 root root 6 Dec  7 21:54 /tmp/foo/bar