Right, let’s talk about umask. This is one of those concepts that sounds more intimidating than it is, mostly because it works by subtracting permissions. It feels backwards, because it is. Some committee in the 70s probably thought this was clever, and we’ve been stuck with it ever since.

Think of it this way: when a process, like your shell’s touch or mkdir, creates a new file or directory, it asks the system for a set of “default” permissions. For files, this is usually 666 (read and write for everyone). For directories, it’s 777 (read, write, and execute for everyone). Let that sink in for a second. If we actually got those defaults, any file you create would be instantly writable by any other user on the system. That’s a security nightmare straight out of the gate.

Enter umask, the bouncer at the door. Its job is to subtract permissions from these overly enthusiastic defaults to arrive at something sensible. The umask value is a mask—a set of bits that tell the system which permissions to disallow.

How the Math Actually Works

Don’t panic. The math is simple, even if the logic is inverted. Let’s say the system default for a file is 666 (rw-rw-rw-). Your common, sensible umask is 022.

The calculation isn’t subtraction in the decimal sense; it’s a bitwise AND with the complement of the mask. But you don’t need to remember that. Just do this:

  1. Start with the default: 666 for a file.
  2. Subtract the umask value (022) from it.
  3. 666 - 022 = 644. Boom. rw-r--r--.

For a directory, default is 777:

  1. 777 - 022 = 755. rwxr-xr-x.

See? The umask 022 strips the write permission from the group and others. That’s why it’s the standard, sensible default for most users. You can check your current mask any time:

umask
# Output might be: 022

Sometimes you’ll see it represented as four digits, like 0022. The first digit is for special permissions (sticky bit, setgid, setuid), which we can mostly ignore for now.

Why You Might Want to Change It

Let’s say you’re working on a project with a team where everyone needs to edit each other’s files in a shared directory. A umask of 022 gives you 644/755, meaning your teammates can read your files but not write to them. That’s not very collaborative.

In this scenario, you’d want to remove group write permissions less aggressively. A umask of 002 is what you want:

umask 002

Now, for a new file: 666 - 002 = 664 (rw-rw-r–). The group can now write. For a directory: 777 - 002 = 775 (rwxrwxr-x). Perfect.

The Big Gotcha: It’s Inherited

Here’s the part that trips everyone up. The umask is a property of your current shell session. If you run umask 002 in a terminal, it only affects files created from that terminal window. It is not a system-wide setting. This is why you’ll create a file in one window and it’s 644, and in another it’s 664, and you’ll tear your hair out wondering what’s going on.

To make it permanent, you need to stick the command (umask 002 or umask 022) in your shell’s startup file—like .bashrc or .zshrc in your home directory. Then, every new terminal session will inherit your preferred mask.

The Execute Permission Quirk

Notice I said the default for a file is 666, not 777. The system assumes you are smart enough to add the execute bit yourself with chmod if you have a script or a binary. This is why a umask of 022 or 002 will never produce an executable file by accident. You have to be explicit.

This is a rare case of the designers making a genuinely good choice. It prevents you from accidentally creating a bunch of executable text files every time you save a draft of your novel.

A Note for the Paranoid (You Should Be)

If your umask is something like 000, please, for the love of all that is holy, change it immediately. You’re creating files and directories that are wide open to the world. Check it right now. I’ll wait.

# If this returns 000, we need to have a talk.
umask

A restrictive mask like 077 (which does 666-077=600 and 777-077=700) is also a perfectly valid choice if you’re on a multi-user system and want to ensure every new file you create is private by default. It’s a bit antisocial, but brilliantly secure.