If you've read my previous tutorials, you know how to manage file permissions in Linux and how to search for files based on their permissions. So you have your filesystem permissions pretty well locked down now, right? Good. But what about new files that are created constantly? Perpetually having to run complex find commands in search of new files with incorrect permissions is annoying at best, and a new file created with the wrong permissions may leave a window of vulnerability on your system if it isn't found and corrected right away.

That's where the umask setting comes in. When a new file or directory is created, the default permissions it is created with are determined by the user's file creation mask, or umask. The default system-wide umask is determined either by /etc/bashrc or /etc/profile (depending on your distribution), although individual users may override the default umask in .bashrc or .profile located in the user's home directory.

The umask is normally expressed as a 3-digit number, although it may occasionally be seen as a 4-digit number with the first digit always being zero. Like file permissions generally, each of the digits represents the permissions for a particular group of users and is a digit ranging from 0-7. The first digit is the permissions of the file's owner, the second is the permissions of the file's group, and the third is everybody else. A typical umask might be expressed as 022.

If you understand the octal expression of Linux file permissions (i.e., 'chmod 777' instead of 'chmod ugo+rwx'), the umask is the inverse of the octal permission. Permissions range from 0 (no access) to 7 (full access), and umask ranges from 7 (no access) to 0 (full access). Therefore, the umask of a file with permission 777 is 000 (full access for everyone), and the umask of 000 is 777 (no access for anyone).

If you didn't follow that, here's a simple list of what permissions each umask setting will give (the execute permission is primarily for being able to cd into directories):

0 - read, write, and execute
1 - read and write
2 - read and execute
3 - read
4 - write and execute
5 - write
6 - execute
7 - no access

Most traditional Linux distributions come with a default umask of 022. The file's owner has full access, while members of the group and everybody else has read-only access. That means that if you want to keep your collection of jpegs of... uh, well... whatever you collect jpegs of... away from prying eyes, this umask probably isn't going to work for you because your files are world-readable.

Red Hat and its derivitave distributions use a slightly different scheme, but the effect is the same. Red Hat uses a user private group (UPG) scheme, whereby each user belongs to a unique group the same as the username, and uses a default umask of 002. Since the user and the group are the same, this has the same security effect as a umask of 022 in other distributions. All user files are still world-readable.

Change the default umask to 077 for maximum security. The file owner has full access, and everyone else is denied any access at all.