CIS126RH | RHEL System Administration Mesa Community College
Learning Objectives
1
Review permission basics
Octal notation and permission meanings
2
Understand umask
What umask is and how it affects new files
3
Calculate permissions
Determine resulting permissions from umask values
4
Set umask values
Change umask temporarily and permanently
5
Apply security best practices
Choose appropriate umask for different scenarios
Permission Review
Linux permissions control who can read, write, and execute files and directories. Permissions are set for owner, group, and others.
Permission
Symbol
Octal
File Meaning
Directory Meaning
Read
r
4
View file contents
List directory contents
Write
w
2
Modify file contents
Create/delete files in dir
Execute
x
1
Run as program
Enter directory (cd)
Reading Permissions
[user@host ~]$ ls -l myfile.txt
-rw-r--r--. 1 user user 100 Jan 20 10:00 myfile.txt
│├─┤├─┤├─┤
│ │ │ └── Others: read only (4)
│ │ └───── Group: read only (4)
│ └──────── Owner: read + write (6)
└────────── File type (- = regular file)
Permissions are represented in octal notation. Read is 4, write is 2, execute is 1. Add them for combined permissions: read + write = 6, read + write + execute = 7. The example above is 644 in octal.
Octal Permission Values
Octal
Binary
Symbolic
Permissions
0
000
---
None
1
001
--x
Execute only
2
010
-w-
Write only
3
011
-wx
Write + Execute
4
100
r--
Read only
5
101
r-x
Read + Execute
6
110
rw-
Read + Write
7
111
rwx
Read + Write + Execute
Octal Values: 755 Example
7
Owner rwx
5
Group r-x
5
Others r-x
A permission set like 755 means: owner gets 7 (rwx — full access), group gets 5 (r-x — read and execute), others get 5 (r-x — same as group).
Understanding this table is essential for working with umask because umask also uses octal values — it specifies which bits to remove from the defaults.
What is umask?
umask (user file-creation mask) is a value that determines which permissions are removed from the default permissions when creating new files and directories.
Default Permissions−umask=Actual Permissions
Key concept: umask specifies which permissions to take away, not which to give. A umask of 022 removes write permission from group and others.
Displaying umask
# Display current umask (octal)[user@host ~]$ umask
0022# Display in symbolic form[user@host ~]$ umask -S
u=rwx,g=rx,o=rx
Octal form: 0022
Leading zero = octal notation. Remove write (2) from group, remove write (2) from others.
Symbolic form: u=rwx,g=rx,o=rx
Shows what permissions are allowed after the mask is applied.
Base Permissions
Before applying umask, the system starts with base permissions that differ for files and directories.
Files: 666
Base: rw-rw-rw-
Read and write for everyone. No execute by default (security).
Directories: 777
Base: rwxrwxrwx
Full access for everyone. Execute needed to enter directory.
Why the difference? Files do not get execute permission by default for security — a new text file should not be runnable. Directories need execute permission to allow cd.
Calculating File Permissions
For files: Start with base 666, subtract umask.
666
Base file rw-rw-rw-
−
022
umask ----w--w-
=
644
Result rw-r--r--
[user@host ~]$ umask
0022[user@host ~]$ touch newfile.txt
[user@host ~]$ ls -l newfile.txt
-rw-r--r--. 1 user user 0 Jan 20 10:00 newfile.txt# 644 = Owner: rw, Group: r, Others: r
Calculating Directory Permissions
For directories: Start with base 777, subtract umask.
777
Base dir rwxrwxrwx
−
022
umask ----w--w-
=
755
Result rwxr-xr-x
[user@host ~]$ mkdir newdir
[user@host ~]$ ls -ld newdir
drwxr-xr-x. 2 user user 6 Jan 20 10:00 newdir# 755 = Owner: rwx, Group: rx, Others: rx
Execute permission is preserved for directories even though it was masked for files — this is because directories have execute in their base (777), while files do not (666).
Common umask Values
umask
File Result
Dir Result
Use Case
022
644 rw-r--r--
755 rwxr-xr-x
Standard — readable by all
027
640 rw-r-----
750 rwxr-x---
Group only — no others access
077
600 rw-------
700 rwx------
Private — owner only
002
664 rw-rw-r--
775 rwxrwxr-x
Shared group — group can write
007
660 rw-rw----
770 rwxrwx---
Group only — no others
000
666 rw-rw-rw-
777 rwxrwxrwx
No restrictions (dangerous!)
RHEL defaults: Regular users and root both get umask 0022. Security-conscious organizations often set stricter defaults like 0027 or 0077.
Setting umask Temporarily
# Check current umask[user@host ~]$ umask
0022# Set more restrictive umask[user@host ~]$ umask 077
[user@host ~]$ touch private.txt
[user@host ~]$ ls -l private.txt
-rw-------. 1 user user 0 Jan 20 10:00 private.txt# Only owner can read/write (600)# Set using symbolic notation[user@host ~]$ umask u=rwx,g=rx,o=
[user@host ~]$ umask
0027
Session only: This change is lost when you log out or open a new terminal. Use profile files for permanent changes.
Subshell Technique
# Wrap in parentheses to isolate umask change[user@host ~]$ (umask 077; touch temp-sensitive-data.txt)
[user@host ~]$ umask # Still original value0022# Subshell umask did NOT affect parent shell# Script that creates secure files
#!/bin/bash
umask 077
touch /var/log/myapp/secure.log
# All files created by this script are 600/700
Wrapping a command in ( ) runs it in a subshell. Setting umask there only affects that subshell — when it exits, you return to your original umask. Perfect for one-off operations that need different permissions.
Scripts that create sensitive files should set umask near the beginning — this ensures consistent permissions regardless of the user's umask when they run the script.
Setting umask Permanently
# For a single user: add to ~/.bashrc[user@host ~]$ echo "umask 027" >> ~/.bashrc
# For a single user: or add to ~/.bash_profile[user@host ~]$ echo "umask 027" >> ~/.bash_profile
# Apply changes to current session[user@host ~]$ source ~/.bashrc
The difference between .bash_profile and .bashrc: .bash_profile runs for login shells, .bashrc runs for interactive non-login shells. Adding to .bashrc usually covers most situations.
System-Wide umask
# For all users: add to /etc/profile (requires root)[root@host ~]# echo "umask 027" >> /etc/profile
# BETTER: create a drop-in file in /etc/profile.d/[root@host ~]# echo "umask 027" > /etc/profile.d/custom-umask.sh
File precedence (lowest to highest):
/etc/login.defs — fallback
/etc/profile and /etc/profile.d/*.sh — system-wide
~/.bash_profile, ~/.bashrc — user-specific (wins)
The /etc/profile.d/ approach is cleaner — you don't modify the original profile file, making updates easier. Files with .sh extension are sourced automatically.
umask in /etc/login.defs
# View current setting in login.defs[root@host ~]# grep -i umask /etc/login.defs
UMASK 022# To change system default, edit this file[root@host ~]# vim /etc/login.defs
# Change: UMASK 027
login.defs also controls:
Default umask for logins
Password aging defaults
UID/GID ranges
Home directory creation
Override order:
/etc/login.defs (lowest)
/etc/profile, /etc/profile.d/
~/.bash_profile, ~/.bashrc (highest)
Understanding the Math
Important: umask uses bitwise AND NOT, not simple subtraction. For typical values this looks like subtraction, but edge cases differ.
Actual operation: result = base AND (NOT umask)
Owner
Group
Others
Base (666)
110
110
110
NOT umask (NOT 022)
111
101
101
Result (AND) = 644
110
100
100
Practical note: Simple subtraction works for most common values. The bit operation matters when umask has a bit set that the base does not have — but this rarely occurs in practice.
Math: Why Subtraction Mostly Works
umask cannot remove execute permission from files because files do not have execute in their base (666). This is actually a feature — you cannot accidentally create executable files through umask alone.
# Example: umask 033 with base 666# Naive subtraction: 666 - 033 = 633 (wrong!)# Bit operation: 666 AND (NOT 033) = 644 (correct)# The execute bit doesn't exist in base 666# so umask 033 can't "remove" it from files# The result is still 644, not 633
For the RHCSA exam and everyday use, the subtraction shortcut is reliable for all common umask values (022, 027, 077, 002). Just be aware of its theoretical limitation.
Special Permission Bits
The leading digit in a 4-digit umask controls special permissions: setuid, setgid, and sticky bit.
Bit
Value
File Effect
Directory Effect
Setuid
4
Run as file owner
(no effect)
Setgid
2
Run as file group
New files inherit group
Sticky
1
(no effect)
Only owner can delete files
4-digit umask format:SUGO (Special, User, Group, Others)
The leading 0 in 0022 means "do not mask any special bits."
Special Bits: Setgid Example
# 4-digit umask: leading 0 = no special bits masked[user@host ~]$ umask
0022# Special bits are rarely set via umask# They're usually set explicitly with chmod when needed# Example: setgid directory for group collaboration[root@host ~]# chmod g+s /shared/project
[root@host ~]# ls -ld /shared/project
drwxrwsr-x. 2 root developers 6 Jan 20 10:00 /shared/project# ^ setgid bit (s instead of x)
In practice, special bits are almost always set explicitly with chmod when needed — not controlled through umask. The leading zero in 0022 simply means "do not mask any special bits."
Checking Effective Permissions
# Always verify after creating files[user@host ~]$ touch testfile.txt
[user@host ~]$ ls -l testfile.txt
-rw-r--r--. 1 user user 0 Jan 20 10:00 testfile.txt[user@host ~]$ mkdir testdir
[user@host ~]$ ls -ld testdir
drwxr-xr-x. 2 user user 6 Jan 20 10:00 testdir# Check numeric permissions with stat[user@host ~]$ stat -c "%a %n" testfile.txt testdir
644 testfile.txt
755 testdir# Full stat output shows both formats[user@host ~]$ stat testfile.txt
Access: (0644/-rw-r--r--) Uid: ( 1000/ user) Gid: ( 1000/ user)
Best practice: After setting a new umask, create test files and directories to verify the permissions are what you expect before creating important files.
Security Considerations
Too Permissive (umask 000)
Files: 666 (world writable!)
Dirs: 777 (world writable!)
Anyone can read/modify your files
Major security vulnerability
Never use in production
Too Restrictive (umask 077)
Files: 600 (owner only)
Dirs: 700 (owner only)
May break group collaboration
May prevent web servers from reading
Good for sensitive data
Balance needed: The right umask depends on the use case. System defaults (022) balance security and usability. Adjust based on actual needs.
umask for Service Accounts
# Service accounts often need stricter umask# Example: database service creates private files# In a systemd unit file:[Service]
UMask=0077# Regular users — system default# /etc/profile or /etc/login.defsUMASK 022# PAM can also set umask[root@host ~]# grep pam_umask /etc/pam.d/login
session optional pam_umask.so umask=0027
Service accounts (apache, mysql, postgres) typically need very restrictive umask — they create files that only the service should access. Set this in the systemd unit file with UMask=0077, or in the service's startup script.
Troubleshooting umask
# Problem: Files created with wrong permissions[user@host ~]$ umask
0077# Aha! That's why files are private# Find where umask is being set[user@host ~]$ grep -r "umask" ~/.bash* ~/.profile /etc/profile /etc/profile.d/ 2>/dev/null
/etc/profile.d/security.sh:umask 077# Problem: cron jobs create files with wrong permissions# Set umask at the start of the cron script
#!/bin/bash
umask 022
# rest of script
Cron jobs run with minimal environment and might not source your profile files. Always set umask explicitly at the beginning of cron scripts to ensure consistent permissions.
Troubleshooting: Application umask
# Problem: Application creates files with unexpected permissions# Some apps set their own umask internally# Check app documentation or source code# Problem: Can't figure out why permissions are what they are# Calculate expected vs actual[user@host ~]$ umask
0022# Expected file: 666 - 022 = 644# Expected dir: 777 - 022 = 755# If actual differs, the app has its own umask
Remember: umask only affects newly created files. Existing files keep their current permissions. Use chmod to fix permissions on files that already exist.
Web servers, databases, and other services often have their own umask configuration independent of the user's shell umask. Check the application's documentation or configuration when troubleshooting unexpected file permissions.
Best Practices
Do
Understand your organization's policy
Use 022 for normal shared systems
Use 077 for sensitive data handling
Set umask in scripts that create files
Test umask changes before deploying
Verify permissions after file creation
Document non-standard umask settings
Configure services with appropriate umask
Do Not
Use 000 (no protection)
Assume all systems have same umask
Forget umask only affects new files
Rely on umask for security alone
Change system defaults without testing
Ignore umask in security audits
Forget services have separate umask
Set overly restrictive for collaboration
umask & Defense in Depth
Remember: umask is just one part of file security. Combine with proper ownership, ACLs, SELinux, and the principle of least privilege.
umask handles:
Default permissions for new files
Baseline security from creation
Consistent default across sessions
Also need:
Proper chown ownership
ACLs for complex access
SELinux for mandatory access
Regular permission audits
Key Takeaways
1
umask: Removes permissions from defaults. Files start at 666, directories at 777. umask specifies what to subtract.