RED HAT ENTERPRISE LINUX

Manage Default
File Permissions

Manage default file permissions

CIS126RH | RHEL System Administration 1
Mesa Community College

Every file and directory created on a Linux system receives a set of permissions automatically. These defaults are not random — they are calculated by applying the umask (user file creation mask) to the maximum possible permissions. Understanding and controlling the umask allows administrators to enforce security policies that govern what access new files grant by default. This module covers the umask mechanism in depth, how to set it for users and system-wide, and how special bits interact with new file creation. These skills are tested on the RHCSA exam.

Learning Objectives

1. Explain the umask mechanism — Describe how the umask works as a subtractive mask applied to maximum default permissions for new files and directories
2. Calculate permissions from umask values — Derive the resulting file and directory permissions for any given umask value using the subtraction model
3. Set the umask for a user or session — Use the umask shell built-in to view and change the umask for the current session and configure it persistently in shell startup files
4. Configure system-wide default permissions — Set a system-wide umask in /etc/profile.d/ and understand how /etc/login.defs and PAM interact with umask

What is the umask?

The umask (user file creation mask) defines which permission bits are removed from newly created files and directories. It is a subtractive mask — bits set in the umask are removed from the default.

• The kernel assigns maximum default permissions at file creation:
  Regular files: 666 (rw-rw-rw-) — no execute by default
  Directories: 777 (rwxrwxrwx) — execute needed to enter
• The umask specifies which bits to remove from that maximum
• Result = Maximum permissions − umask bits
• The RHEL 9 default umask is 0022

# With umask 0022:
# Files:       666 − 022 = 644  (rw-r--r--)
# Directories: 777 − 022 = 755  (rwxr-xr-x)

$ umask
0022

$ touch newfile.txt
$ ls -l newfile.txt
-rw-r--r--. 1 alice alice 0 May 25 10:00 newfile.txt
#  644 = 666 - 022

$ mkdir newdir
$ ls -ld newdir
drwxr-xr-x. 2 alice alice 6 May 25 10:00 newdir
#  755 = 777 - 022

Calculating umask Results

The umask calculation uses bitwise NOT AND (not simple arithmetic subtraction) — but for common values, the subtraction shortcut works correctly.

# Subtraction method (works for most common umask values)
# umask 022:
#   Files:       6 6 6 minus 0 2 2 = 6 4 4  → rw-r--r--
#   Directories: 7 7 7 minus 0 2 2 = 7 5 5  → rwxr-xr-x

# umask 027:
#   Files:       6 6 6 minus 0 2 7 = 6 4 0  → rw-r-----
#   Directories: 7 7 7 minus 0 2 7 = 7 5 0  → rwxr-x---

# umask 002:
#   Files:       6 6 6 minus 0 0 2 = 6 6 4  → rw-rw-r--
#   Directories: 7 7 7 minus 0 0 2 = 7 7 5  → rwxrwxr-x

# umask 077:
#   Files:       6 6 6 minus 0 7 7 = 6 0 0  → rw-------
#   Directories: 7 7 7 minus 0 7 7 = 7 0 0  → rwx------

# umask 000 (no bits removed — maximum permissions):
#   Files:       6 6 6 minus 0 0 0 = 6 6 6  → rw-rw-rw-
#   Directories: 7 7 7 minus 0 0 0 = 7 7 7  → rwxrwxrwx

umask Common Values Reference

Viewing and Setting the umask

The umask command is a shell built-in that reads and sets the file creation mask for the current process and all its children.

# View the current umask (octal)
$ umask
0022

# View the current umask in symbolic form
$ umask -S
u=rwx,g=rx,o=rx

# Set a new umask for the current session
$ umask 027

# Verify the change
$ umask
0027

# Test immediately — new files reflect the new umask
$ touch testfile
$ ls -l testfile
-rw-r-----. 1 alice alice 0 May 25 10:00 testfile
#  640 = 666 - 027

$ mkdir testdir
$ ls -ld testdir
drwxr-x---. 2 alice alice 6 May 25 10:00 testdir
#  750 = 777 - 027

Persistent umask: User-Level Configuration

A umask set in the shell applies only to the current session. To make it persistent for a specific user, add the umask command to the user's shell startup file.

# For bash users — edit ~/.bashrc (interactive non-login shells)
$ echo "umask 027" >> ~/.bashrc

# For bash users — edit ~/.bash_profile (login shells)
$ echo "umask 027" >> ~/.bash_profile

# Verify it was added
$ grep umask ~/.bashrc
umask 027

# Apply in the current session without logging out
$ source ~/.bashrc

# Confirm the umask is now active
$ umask
0027

Persistent umask: System-Wide Configuration

System-wide umask settings apply to all users. The preferred location on RHEL 9 is a drop-in file in /etc/profile.d/.

# Create a system-wide umask drop-in file (preferred method)
$ sudo tee /etc/profile.d/umask.sh <<'EOF'
# Set system-wide default umask
umask 027
EOF

# Verify the file was created
$ cat /etc/profile.d/umask.sh
umask 027

# /etc/profile.d/*.sh files are sourced by /etc/profile for ALL users
# This applies to all login shells system-wide

# Alternative: edit /etc/bashrc (affects all interactive bash shells)
$ sudo vim /etc/bashrc
# Find and change: umask 002  →  umask 027

# Alternative: /etc/login.defs UMASK setting (affects useradd-created users)
$ grep UMASK /etc/login.defs
UMASK           022

umask in /etc/login.defs

/etc/login.defs contains system-wide login defaults including the UMASK setting that affects all interactive logins through PAM.

# View the current UMASK setting
$ grep -i umask /etc/login.defs
UMASK           022

# Change the system-wide umask for all new login sessions
$ sudo vim /etc/login.defs
# Change: UMASK  022  to  UMASK  027

# Or non-interactively with sed
$ sudo sed -i 's/^UMASK.*/UMASK           027/' /etc/login.defs

# Verify
$ grep UMASK /etc/login.defs
UMASK           027

# The PAM module pam_umask reads UMASK from /etc/login.defs
# and applies it to login sessions
$ grep pam_umask /etc/pam.d/system-auth
session     optional      pam_umask.so

The umask Inheritance Model

The umask is a property of each process and is inherited by child processes. Understanding inheritance explains why umask changes can appear inconsistent.

# Each process has its own umask, inherited from its parent
# Changing umask in a child does not affect the parent

$ umask
0022

# Start a subshell and change its umask
$ bash
$ umask 077
$ umask
0077

# Exit the subshell — parent still has original umask
$ exit
$ umask
0022   # ← unchanged

# Scripts that run with sudo inherit root's umask (typically 022)
# To set umask in a script:
$ cat /usr/local/bin/deploy.sh
#!/bin/bash
umask 022    # set explicitly at the start of any script
mkdir /opt/myapp
cp /tmp/myapp.tar.gz /opt/myapp/

umask for systemd Services

Services managed by systemd have their own umask, configurable in the unit file. This is independent of user-level umask settings.

# View a service unit's UMask setting
$ sudo systemctl cat httpd
[Unit]
Description=The Apache HTTP Server
...
[Service]
Type=notify
...
UMask=0007

# Add a UMask to a custom service
$ sudo vim /etc/systemd/system/myapp.service
[Unit]
Description=My Application

[Service]
Type=simple
UMask=0027
ExecStart=/usr/local/bin/myapp

# Or override with a drop-in
$ sudo systemctl edit httpd
[Service]
UMask=0022

$ sudo systemctl daemon-reload

Verifying Default Permissions in Practice

# Current session umask
$ umask
0027

# Verify by creating test files and directories
$ touch /tmp/test_file
$ mkdir /tmp/test_dir
$ ls -la /tmp/test_file /tmp/test_dir
-rw-r-----. 1 alice alice    0 May 25 10:00 /tmp/test_file
drwxr-x---. 2 alice alice 4096 May 25 10:00 /tmp/test_dir
# 640 and 750 confirm umask 027 is active

# Verify system-wide umask configuration
$ cat /etc/profile.d/umask.sh
umask 027

$ grep UMASK /etc/login.defs
UMASK           027

# Verify user-level umask configuration
$ grep umask ~/.bashrc
umask 027

# Log out and log back in; verify the umask persists
$ umask
0027   # ← loaded from shell startup file

Special Bits and Default Permissions

The umask does not affect special permission bits (setuid, setgid, sticky). These must always be set explicitly with chmod.

# The leading 0 in the umask represents the special bits position
# umask 0022 = special bits mask 0, owner mask 0, group mask 2, other mask 2

# Special bits are NEVER set by umask — must be explicit
$ umask 0022
$ mkdir shared_dir
$ ls -ld shared_dir
drwxr-xr-x. 2 alice alice 6 May 25 10:00 shared_dir
# No setgid — must be added explicitly
$ chmod g+s shared_dir
$ ls -ld shared_dir
drwxr-sr-x. 2 alice alice 6 May 25 10:00 shared_dir

# Even setting umask 2022 does not set setgid on new directories
$ umask 2022   # 2 in special bits = setgid mask, NOT setgid bit
$ mkdir another_dir
$ ls -ld another_dir
drwxr-xr-x.   # no 's' — umask cannot SET bits, only REMOVE them

Default Permissions Quick Reference

Common Mistakes

Complete Configuration Workflow

Exam scenario: configure the system so all new files created by users have permissions 640 (rw-r-----) and directories have 750.

# Step 1: Determine the required umask
# Files:       666 − ? = 640  →  umask = 027
# Directories: 777 − 027 = 750  ✓ confirms umask 027

# Step 2: Set umask for the current session (immediate effect)
$ umask 027

# Step 3: Make it persistent system-wide
$ sudo tee /etc/profile.d/umask.sh <<'EOF'
umask 027
EOF

# Step 4: Also update /etc/login.defs for PAM-based logins
$ sudo sed -i 's/^UMASK.*/UMASK           027/' /etc/login.defs

# Step 5: Verify by creating test files
$ touch /tmp/umask_test
$ mkdir /tmp/umask_testdir
$ ls -la /tmp/umask_test /tmp/umask_testdir
-rw-r-----. ... /tmp/umask_test      ← 640 ✓
drwxr-x---. ... /tmp/umask_testdir   ← 750 ✓

Knowledge Check

Answer these before moving to the next slide.

1. What permissions will a new regular file have if the current umask is 0027? What permissions will a new directory have?
2. A user wants new files to have permissions 660 (rw-rw----). What umask value should they set?
3. Write the two commands to set a umask of 027 and verify it is active by checking the permissions of a newly created file.
4. Write the command to make a umask of 027 persistent for the current user across all future login sessions. How do you apply it to the current session without logging out?
5. Where should a system administrator create a file to set a system-wide umask of 027 for all users? Write the file contents.
6. A user sets umask 644. What permissions will their new files have? Is this what they probably intended?

Knowledge Check — Answers

1. With umask 0027:
   Regular file: 666 − 027 = 640 (rw-r-----)
   Directory: 777 − 027 = 750 (rwxr-x---)
2. To get files with 660 permissions: 666 − ? = 660, so the umask is 007 (remove write and execute from other — but other had no execute in 666, so only write is removed from other). Verify: 666 − 007 = 660 ✓
   Also check directories: 777 − 007 = 770 (rwxrwx---)
3. umask 027 — sets the umask for the current session
   touch /tmp/testfile && ls -l /tmp/testfile — creates a file and checks its permissions. The output should show -rw-r----- (640).
4. Add umask 027 to ~/.bashrc: echo "umask 027" >> ~/.bashrc
   Apply without logging out: source ~/.bashrc
5. Create /etc/profile.d/umask.sh with the content:
   umask 027
   This file is sourced by /etc/profile for all login shells on the system.
6. With umask 644, new files get: 666 − 644 = 022 permissions (------w--w- — only group-write and other-write, no read for owner!). This is almost certainly not what was intended. The user probably wanted files to be 644 — but to get 644 files they need umask 022, not umask 644.

Key Takeaways

1. The umask removes bits from maximum permissions — it does not set them. Maximum for files = 666; maximum for directories = 777. Result = Maximum − umask. umask 022 → files 644, dirs 755. umask 027 → files 640, dirs 750. Execute is never set on new files by umask.
2. Set the session umask with umask VALUE; verify with touch + ls -l. The change applies immediately to the current process and its children. It is temporary — lost when the shell exits. Use umask -S to see the symbolic (allowed) form.
3. Persist user-level umask in ~/.bashrc; apply with source ~/.bashrc. System-wide umask belongs in /etc/profile.d/umask.sh (preferred) or /etc/login.defs UMASK. Drop-in files in /etc/profile.d/ survive package updates.
4. Reverse-calculate the umask from the desired permissions. To get files with 640: 666 − 640 = 026 → umask 026 (or 027 — confirm with dirs). To get files with 660: 666 − 660 = 006 → umask 007 (check dirs: 777 − 007 = 770). Always verify by creating test files and checking with ls -l.

Graded Lab

• Run umask to record the current value. Create a test file and directory with touch and mkdir. Confirm with ls -la that the permissions match what the umask calculation predicts.
• Calculate: what umask produces new files with permissions 640 and directories with 750? Set that umask with umask VALUE. Create a test file and directory and verify the permissions are correct.
• Add the umask to ~/.bashrc with echo "umask 027" >> ~/.bashrc. Apply with source ~/.bashrc. Open a new terminal and confirm the umask is active there too.
• Create /etc/profile.d/umask.sh containing umask 027. Log out and log back in. Run umask and create test files to confirm the system-wide setting is active.
• View the UMASK setting in /etc/login.defs. Change it to match your configured umask (027). Confirm the value with grep UMASK /etc/login.defs.
• Deliberately set umask 644 and create a file. Note the unexpected permissions (022 = ------w--w-). This demonstrates why umask 644 is wrong if the goal is 644-permission files. Restore the correct umask with umask 027.

Next: Getting Help from Local Documentation